BESS Working Group W. Wang Internet-Draft A. Wang Intended status: Standards Track China Telecom Expires: August 23, 2021 February 19, 2021 Layer-3 Accessible EVPN Services draft-wang-bess-l3-accessible-evpn-00 Abstract This draft describes a new mechanism called "Layer-3 accessible EVPN services", which extends the EVPN Service Interfaces in [RFC7432]. This mechanism allows Layer-3 network to run between CE and PE, and defines Logical Session Identifier(LSI) for traffic isolation. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 23, 2021. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Wang & Wang Expires August 23, 2021 [Page 1] Internet-Draft L3 Accessible EVPN February 2021 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions used in this document . . . . . . . . . . . . . . 2 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Logical Session Identifier (LSI) . . . . . . . . . . . . . . 3 4.1. The generation of LSI in VxLAN usecase . . . . . . . . . 3 4.2. The generation of LSI in IPSec usecase . . . . . . . . . 4 4.3. The generation of LSI in GRE usecase . . . . . . . . . . 4 5. Service Interfaces . . . . . . . . . . . . . . . . . . . . . 4 5.1. LSI-Based Service Interface . . . . . . . . . . . . . . . 4 5.2. LSI-Bundled Service Interface . . . . . . . . . . . . . . 5 5.3. LSI-Aware Bundled Service Interface . . . . . . . . . . . 5 6. The transmission of LSI . . . . . . . . . . . . . . . . . . . 5 6.1. Data Plane . . . . . . . . . . . . . . . . . . . . . . . 5 6.1.1. Extensions to VxLAN . . . . . . . . . . . . . . . . . 5 6.2. Control Plane . . . . . . . . . . . . . . . . . . . . . . 6 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 9. Normative References . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction [RFC7432]defines three service interfaces: VLAN-Based Service Interface, VLAN-Bundled Service Interface and VLAN-Aware Bundled Service Interface. These three types of interfaces are suitable for different scenarios, and can realize the isolation of layer-2 and layer-3 routing and traffic of customers with different granularity. In the scenarios corresponding to these service interfaces, CE-PE should be placed in the same Layer-2 network. However, the condition usually cannot be met in the current network deployment, because CE- PE often need to cross a Layer-3 network. This draft defines a new identifier called Logical Session Indentifier (LSI) and describes the transmission mechanism of LSI. By using LSI, CE can access to EVPN with VxLAN encapsulation through layer-3 network. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] . Wang & Wang Expires August 23, 2021 [Page 2] Internet-Draft L3 Accessible EVPN February 2021 3. Terminology The following terms are defined in this draft: o CE: Client Edge o PE: Provider Edge o EVPN: BGP/MPLS Ethernet VPN, defined in [RFC7432] o VxLAN: Virtual eXtensible Local Area Network, defined in [RFC7348] o IPSec: Internet Protocol Security, defined in [RFC4301] o GRE: Generic Routing Encapsulation, defined in [RFC2890] 4. Logical Session Identifier (LSI) When there is a layer-3 network between CE and PE, service interfaces defined in [RFC7432] cannot be used for the isolation of traffic. Instead, we can use several tunnel encapsulation technologies (i.e. VxLAN or IPSec) to achieve the goal. In this draft, we define Logical Session Identifier(LSI) to distinguish the packets from different tunnels, its length is 16 bits. For VxLAN, IPsec and GRE, their headers contain the corresponding fields to distinguish sessions. LSI can be generated according to them. 4.1. The generation of LSI in VxLAN usecase The format of VxLAN Generic Protocol Encapsulation (GPE) header is shown in Figure 1, where VNI field can be used for distinguishing different tunnels. LSI can be generated according to it. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R|R|Ver|I|P|B|O| Reserved |Next Protocol | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | VXLAN Network Identifier (VNI) | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: The format of VxLAN GPE header Wang & Wang Expires August 23, 2021 [Page 3] Internet-Draft L3 Accessible EVPN February 2021 4.2. The generation of LSI in IPSec usecase The format of IPSec AH header is shown in Figure 2, where SPI field can be used for distinguishing different tunnels (SPI field in ESP header has the same effect). LSI can be generated according to it. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Payload Len | RESERVED | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security Parameters Index (SPI) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number Field | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Integrity Check Value-ICV (variable) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: The format of IPSec AH header 4.3. The generation of LSI in GRE usecase The format of GRE header is shown in Figure 3, where Key field can be used for distinguishing different tunnels. LSI can be generated according to it. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |C| |K|S| Reserved0 | Ver | Protocol Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum (optional) | Reserved1 (Optional) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key (optional) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number (Optional) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3: The format of GRE header 5. Service Interfaces 5.1. LSI-Based Service Interface With this service interface, EVIs and LSIs are one-to-one mapping. Each LSI corresponding to a VNI/SPI/Key and its address space, and there is no interactive between different LSIs. PEs maintain the Wang & Wang Expires August 23, 2021 [Page 4] Internet-Draft L3 Accessible EVPN February 2021 mapping table of LSI and VNI/SPI/Key, which ensure that a PE has the ability to restore the original tunnel information and transmit the packet to the correct destination. 5.2. LSI-Bundled Service Interface With this service interface, EVIs and LSIs are one-to-many mapping, which means a VNI/SPI/Key and its address table corresponding to all LSIs related to the same EVI. The address space between different LSIs (MAC/IP address) MUST not overlap. LSIs related to the same EVI can communicate with each other. When a PE receives a packet contains a certain LSI, PE can determine which destination to forward by the MAC/IP address of the packet. 5.3. LSI-Aware Bundled Service Interface With this service interface, EVIs and LSIs are one-to-many mapping. LSIs related to the same EVI corresponding to one VNI/SPI/Key and its address table, where LSI information are maintained, The address space between different LSIs (MAC/IP address) can overlap. LSIs related to the same EVI can communicate with each other. When PE receives a packet contains a certain LSI, it can determine the destination by the LSI information in VNI's address table. To carry the LSI information in VNI/SPI/Key and transmit it in layer-3 network, several extensions are defined in Section 6. 6. The transmission of LSI 6.1. Data Plane 6.1.1. Extensions to VxLAN This solution only consider EVPN with VxLAN encapsulation. We extend the VxLAN GPE header to carry the LSI information, the extentions to the VxLAN GPE header is shown in Figure 4: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R|S|Ver|I|P|B|O| LSI |Next Protocol | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | VXLAN Network Identifier (VNI) | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 4: The extentions to VxLAN GPE header Wang & Wang Expires August 23, 2021 [Page 5] Internet-Draft L3 Accessible EVPN February 2021 If S is set to 1, it means the field after Flag contains LSI identification. 6.2. Control Plane PEs need to maintain the mapping table between LSI and VNI/SPI/Key, control plane should transmit the related information in layer-3 network. For example, packets of multiple sessions can be transmitted between PE1 and PE2, if PE2 can tell PE1 through EVPN control signaling that a certain session's LSI is 12, then PE1 will encapsulate this information in the corresponding packets. After receiving the encapsulated packet, PE2 can extract the LSI information, look up the mapping table, find the corresponding tunnel type and logical identification, and then repackage it and send it to its destination. In [RFC7432], Ethernet Segment Identifier (ESI) is defined to identify the different Ethernet Segment (ES) in multihomed scenario. The fomat of ESI is shown in Figure 5: +---+---+---+---+---+---+---+---+---+---+ | T | ESI Value | +---+---+---+---+---+---+---+---+---+---+ Figure 5: The format of ESI There are several ESI Types, all of them are used for layer-2 network. For the layer-3 access network, we define a new ESI Type to carry the corresponding LSI. The format of the new ESI Type is shown in Figure 6: +---+---+---+---+---+---+---+---+---+---+ | T | Reserved | CE Identifier | LSI | +---+---+---+---+---+---+---+---+---+---+ Figure 6: The format of the new ESI Type Where: o T (1 octet): specifys the ESI Type. The recommended value is 0x06. o CE Identifier (3 octets): the route ID/IPv4 address of CE. o LSI (2 octets): the LSI information associated with PE-CE. Wang & Wang Expires August 23, 2021 [Page 6] Internet-Draft L3 Accessible EVPN February 2021 7. Security Considerations TBD 8. IANA Considerations This draft extends the VxLAN GPE header, S bit of Flag and LSI field are added: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R|S|Ver|I|P|B|O| LSI |Next Protocol | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | VXLAN Network Identifier (VNI) | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 4: The extentions to VxLAN GPE header This draft defines a new ESI type, the recommended value of its T field is 0x06. 9. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC2890] Dommety, G., "Key and Sequence Number Extensions to GRE", RFC 2890, DOI 10.17487/RFC2890, September 2000, . [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, . [RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, L., Sridhar, T., Bursell, M., and C. Wright, "Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014, . [RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February 2015, . Wang & Wang Expires August 23, 2021 [Page 7] Internet-Draft L3 Accessible EVPN February 2021 Authors' Addresses Wei Wang China Telecom Beiqijia Town, Changping District Beijing, Beijing 102209 China Email: weiwang94@foxmail.com Aijun Wang China Telecom Beiqijia Town, Changping District Beijing, Beijing 102209 China Email: wangaj3@chinatelecom.cn Wang & Wang Expires August 23, 2021 [Page 8]