Network Working Group F. Duan Internet-Draft S. Chen Intended status: Standards Track Huawei Technologies Expires: 10 May 2023 6 November 2022 Multicast VPN Upstream Designated Forwarder Selection draft-wang-bess-mvpn-upstream-df-selection-02 Abstract This document defines Multicast Virtual Private Network (VPN) extensions and procedures of designated forwarder election performed between ingress PEs, which is different from the one discribed in [RFC9026] in which the upstream designated fowarder determined by using the "Standby PE Community" carried in the C-Multicast routes. Based on the DF election, the failure detcetion point discovery mechanism between DF and standby DF is extended in MVPN procedures to achieve fast failover by using BFD session to track the status of detection point. To realize a stable "warm root standby", this document obsolete the P-Tunnel status determining procedure for downstream PEs in regular MVPN by introducing an anycast RPF checking mechanism in dataplane as an instead. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 10 May 2023. Duan & Chen Expires 10 May 2023 [Page 1] Internet-Draft MVPN Upstream DF Selection November 2022 Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Passive IDF Negotiation Mode . . . . . . . . . . . . . . 5 3.2. Active IDF Negotiation Mode . . . . . . . . . . . . . . . 5 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1. IDF Negotiation Community . . . . . . . . . . . . . . . . 6 4.2. BFD Discriminator Attribute . . . . . . . . . . . . . . . 6 5. Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Signaling . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1.1. Originating VPN Routes to Multicast Sources . . . . . 7 5.1.2. Originating C-Multicast Routes . . . . . . . . . . . 7 5.1.3. Ingress Desiganted Forwarder Selection . . . . . . . 8 5.1.4. Failure Detection and Fast Failover . . . . . . . . . 9 5.2. Data Forwarding . . . . . . . . . . . . . . . . . . . . . 10 5.2.1. Procedure on Root PEs . . . . . . . . . . . . . . . . 10 5.2.2. Procedure on Leaf PEs . . . . . . . . . . . . . . . . 11 5.3. Distinguishing UMH and C-multicast Routes . . . . . . . . 11 5.4. Segmented Inter-AS Scenario . . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 9. Normative References . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Duan & Chen Expires 10 May 2023 [Page 2] Internet-Draft MVPN Upstream DF Selection November 2022 1. Introduction MVPN [RFC6513] and [RFC6514] defines the MVPN architecture and MVPN protocol specification which include the basic procedures for selecting the Upstream Multicast Hop. Further [RFC9026] defines some extension to select the primary and standby upstream PE for a VPN multicast flow on downstream PEs. After selecting the Upstream Multicast Hop, the downstream PEs send MVPN C-Multicast routes to both primary and standby Upstream PE. Upon receiving the MVPN join routes, the upstream / ingress PEs can either perform "hot root standby" or "warm root standby". For the "hot root standby" mechanism, all the ingress PEs, regardless of the primary or standby role, forward (C-S,C-G) flow to other PEs through a P-tunnel, forcing the egress PEs to discard all but one, which will cause the steady traffic redundancy throughout the backbone network. In the scenarios of enterprise networks crossing provider networks, the waste of bandwidth is a crucial issue causing the increasement of the OpEx of enterprise networks, and the "warm root standby" mechanism is expected to be a better solution. However, there are some problems when deploying the "warm root standby" mechanism described in [RFC9026]. a. Upon the failure of primary ingress PE, the standby ingress PE needs to send PIM join hop by hop toward multicast source for each multicast flow and the time when the standby ingress PE switches to the primary role may be inconsistent with the time when the leaf PE determines to accept multicast traffic sent by the standby root, causing which the failover time can hardly reach the same level of "hot root standby" mechanism. b. There is no endogenous mechanism for standby ingress PEs to discover and detect the failure of primary ingress PEs, resulting in the uncertainty in deployment and implementation. c. In [RFC9026], the standby ingress PE is determined by using "Standby PE Community" carried in the C-Multicast routes. The premise of this mechanism is that all leaf PEs choose the same primary and standby ingress PEs, which may not be meeted due to transient unicast routing inconsistencies, the inconsistencies of P-Tunnel status determined by each leaf PE or lack of support of the Standby PE community on leaf PE, causing that the "warm root standby" mechanism is not stable and returns to "hot root standby" mode because the standby ingress PE also sends multicast traffic to backbone when the condition is not satisfied. d. The primary and standby role is fixed for each multicast flow, resulting in that ingress PEs cannot perform load balancing for multicast traffic. Only two ingress PEs are selected for all Duan & Chen Expires 10 May 2023 [Page 3] Internet-Draft MVPN Upstream DF Selection November 2022 multicast stream from a specific multicast source, causing that the "warm root standby" mechanism cannot be used in the scenarios of client nework multihoming to more than two ingress PEs. This document defines a new MVPN procedure of designated forwarder election performed between ingress PEs. Based on the DF election, the failure detcetion point discovery mechanism between DF and standby DF is extended to achieve fast failover by using a BFD session to track the status of detection point. To realize a stable "warm root standby", this document obsoletes the P-Tunnel status determining procedure for downstream PEs in regular MVPN by introducing an anycast RPF checking mechanism in dataplane as an instead. 2. Terminology The terminology used in this document is the terminology defined in[RFC6513], [RFC6514] and [RFC9026]. For convenience of description, the abbreviations used in this document is listed below. DF: Desiganted Forwarder IDF: Ingress Desiganted Forwarder UMH: Upstream Multicast Hop P-tunnel: Provider-Tunnel VPN: Virtual Private Network MVPN: Multicast VPN GTM: Global Table Multicast RD: Route Distinguisher NLRI: Network Layer Reachability Information BFD: Bidirectional Forwarding Detection MD: My Discriminator VRI: VRF Route Import Extended Community RR: Route Reflector Duan & Chen Expires 10 May 2023 [Page 4] Internet-Draft MVPN Upstream DF Selection November 2022 SFS: Selective Forwarder Selection 3. Scenario 3.1. Passive IDF Negotiation Mode +------------------------+ | | / Root PE1 Leaf PE1 ----- R1 / | | S1 --- CE | Provider Backbone | \ | | \ Root PE2 Leaf PE2 ----- R2 | | +------------------------+ Figure 1: Passive IDF Negotiation Mode In this scenario, the interfaces multihoming CE to provider's root PEs are bundled together and working in a eth-trunk mode, and a multichassis protocol is running between the multi-homed root PEs to coordinate with the CE to perform single active or all active data sending mode between CE and root PEs. Regardless either of the two sending mode is chosen, CE received multicast data from S1 only selects one interface to forward traffic, thus the root PE homed by the selected interface is responsible for sending the corresponding multicast traffic to leaf PEs. The multi-homed root PEs do not really run an IDF negotiation procedure between themselves but accept the IDF role passively. Therefore, we call this scenario using Passive IDF Negotiation Mode in this document. 3.2. Active IDF Negotiation Mode +------------------------+ +----------------+ | | | | -- Root PE1 Leaf PE1 ----- R1 | | | | S1 --- | Client Network | | Provider Backbone | | | | | | | -- Root PE2 Leaf PE2 ----- R2 +----------------+ | | +------------------------+ Figure 2: Active IDF Negotiation Mode Duan & Chen Expires 10 May 2023 [Page 5] Internet-Draft MVPN Upstream DF Selection November 2022 In this scenario, the "Client Network" is a layer 3 network area containing one or more CE routers. If only one CE router is included in the "Client Network" , the main difference between this circumstance and above is that the interfaces multihoming CE to root PEs are not bundled and each of them is an individual layer 3 interface. The IP subnet of the multihoming interfaces can be in either same or different, each of the multi-homed root PEs can receive one copy of the specific multicast stream (S1, G) received through the "Client Network". For the "warm root standby" mechanism, only one root PE (Called IDF in this doucument) can send the received multicast traffic to leaf PEs through provider's backbone. Thus the IDF must be selected among the multi-homed root PEs by themselves. So, in this document, we call this scenario using Active IDF Negotiation Mode. 4. Specification 4.1. IDF Negotiation Community This community is carried in the UMH routes and used by the multi- homed root PEs to notify each other to perform IDF election. Leaf PEs can also check whether the UMH route is containing this community to perform anycast RPF checking in data plane. The value of this community will be allocated by IANA for each negotiation mode individually from the "Border Gateway Protocol (BGP) Well-known Communities" registry using the First Come First Served registration policy. 4.2. BFD Discriminator Attribute This attribute is carried in UMH routes and its format reuses the one defined in [RFC9026] with the "BFD Mode" field redefined as a unicast BFD session type, of which the value is recommended to be 2 and will be allocated by IANA according to the registration policy. The source IP optional TLV in this document is mandantory and used to discover the failure detection point of the IDF. 5. Procedure 5.1. Signaling In this section, the procedure is under the condition that the value of the RDs of multi-homed root PEs for a same MVPN are distinct, which means that the VPN route originated by each multi-homed PE can be received by the others and leaf PEs can also perform SFS reliably. Duan & Chen Expires 10 May 2023 [Page 6] Internet-Draft MVPN Upstream DF Selection November 2022 5.1.1. Originating VPN Routes to Multicast Sources To perform IDF election procedure in this document, the multi-homed root PEs MUST include an IDF negotiation Community in the originating VPN routes to multicast sources. The negotiation mode (Passive or Active) is determined by the connection type of the Client network / CE, and MUST be configured consistently on each multi-homed root PE. In order to perform endogenous mechanism of IDF election and fast failure detection, the BFD Discriminator Attribute discribed in section 4.2 MUST also be carried when each multi-homed root PE originates a UMH routes, with the MD feild filled with a local configured BFD discriminator and the IP address feild of the Source IP TLV filled with the local IP of the interface connecting to the Client network / CE, from which the prefix of the originating UMH route is learned. If the UMH prefix is learned from more than one local interface, the one chosen to fill the Source IP TLV of the BFD Discriminator Attribute MUST be consistent with the one selected as RPF interface for the multicast stream sent by the corresponding multicast source. In this document, the filled Source IP address is the failure detection point, if the corresponding root PE is selected as the IDF of a specific multicast stream, it is used to establish a BFD session to do fast tracking of failure of IDF. In IPv6 scenarios, a global IPv6 address SHOULD be configured on the client facing interfaces to succeed in the establishment of multi-hop IPv6 BFD sessions. 5.1.2. Originating C-Multicast Routes If a leaf PE decides to send C-Multicast routes to upstream PEs for a given (C-S, C-G), it follows the procedure described in [RFC6514] excepting that the RPF route of the c-root has an IDF negotiation community. According to the negotiation community, a distinct C-Multicast route for (C-S, C-G) is sent to each multi-homed root PE. Leaf PE installs all P-Tunnels rooted from the multi-homed PEs into the anycast RPF tunnel checklist of the corresponding multicast traffic (C-S, C-G). If there is a local receiver connected to one of the multi-homed root PEs and the Passive IDF Negotiation Mode is performed between them, the root PE having local receivers sends the specific C-Multicast route (C-S, C-G) joined by the local receivers to the multi-homed others, after which it installs all P-Tunnels rooted from the multi- homed others and local upstream interface into the anycast RPF tunnel checklist of the corresponding multicast traffic (C-S, C-G). Duan & Chen Expires 10 May 2023 [Page 7] Internet-Draft MVPN Upstream DF Selection November 2022 5.1.3. Ingress Desiganted Forwarder Selection For Passive IDF election, it is performed by CE routers as described in section 3.1. This section describes two optional solutions for Active IDF election. 5.1.3.1. Out-Of-Band Mechanism VRRP specifies an election protocol that dynamically assigns responsibility of a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling the IPv4 or IPv6 address(es) associated with a virtual router is called the Master, and it forwards packets sent to these IPv4 or IPv6 addresses. Similarly, the role of the VRRP routers associated with a virtual router can also be that of the upstream PEs in MVPN dual homing upstream PEs deployment. The method of mapping the role of a VRRP router to that of a MVPN upstream PE is more likely an administrative measure and could be implemented as configurable policies. Both the primary and standby PEs install VRF PIM state corresponding to BGP Source Tree Join route and send C-Join messages to the CE toward C-S. Whereas only the primary upstream PE (Virtual Router Master according to VRRP) forwards (C-S,C-G) flow to downstream PEs through a P-tunnel if IDF election is performing between the upstream PEs. Other private implementations or similar designated forwarder selection technologies could also be optional. However, a feasible technology should has the ability to be deployed per VRF and be associated with one Multicast VPN instance. All PEs connected to the same customer's layer 3 network area MUST keep a coincident status of whether performing IDF election or not by negotiating dynamically or being configured manually, the dynamic protocol for negotiation of this status is outside the scope of this document. 5.1.3.2. Endogenous Mechanism Considering a multicast source connecting to the client network area multihoming to the provider network, the prefix of the source can be learned by all multi-homed root PEs, each of which originates a corresponding VPN route with a VRI Extended Community including the originator's IP address to the others and leaf PEs. According to that, each multi-homed root PE can learn all the others' originator IP addresses for a specific multicast source, based on which the IDF can be calculated consistently on each root. Duan & Chen Expires 10 May 2023 [Page 8] Internet-Draft MVPN Upstream DF Selection November 2022 The default procedure for IDF election is at the granularity of . There are two options listed below for IDF election of a specific multicast source C-S, a deployment can use each of them and MUST be configured consistently among the multi-homed root PEs: a. To perform single IDF election for all C-Gs of a specific multicast source C-S, each PE builds an ordered list in ascending order of the IP addresses of all multi-homed PE nodes learning the UMH routes to the multicast source C-S (including itself). As described in the first paragraph of this section, each IP address in this list is extracted from the Global Administrator field of VRI Extended Community carried in those UMH routes related to the specified multicast source C-S. Every PE is then given an ordinal indicating its position in the ordered list, starting with 0 as the ordinal for the PE with the numerically lowest IP address. The originator IP address with ordinal 0 is the winner, and the corresponding root PE is selected as IDF by every PE. The root PE of which the corresponding originator IP address is sub-optimal is selected as Standby IDF. b. To perform IDF election for each C-G of a specific multicast source C-S, each PE also builds an ordered list of the IP addresses of all the multi-homed PE nodes at first. The difference between this option and above is that the election of IDF occurs not upon receiving all UMH routes of the other multi- homed PEs of the specfied C-S but upon receiving the C-multicast join of the corresponding C-G. Assuming an ordered list of N elements, the PE with ordinal i is the IDF for a C-G when (C-G mod N) = i. The PE with ordinal j is the Standby IDF when j is (C-G mod (N-1)). The calculation of standby IDF uses the ordered IP addresses list without considering the existance of the elected IDF element. 5.1.4. Failure Detection and Fast Failover For the Passive IDF Negotiation Mode, the CE router is responsible for the failure detection of multihoming links or multi-homed PE nodes using some existing solution, which is out the scope of this document. For the Active IDF Negotiation Mode with Out-Of-Band Mechanism described in section 5.1.3.1, the failure detection solution is always built in the multichassis protocols used for IDF election. This section only details the failure detection and fast failover procedure for the Active IDF negotiation mode with endogenous mechanism. To detect the failure of the node or the client facing link of IDF fastly, after the election of IDF PE and Standby IDF PE, the Standby IDF initializes a BFD session. Several important parameters of the Duan & Chen Expires 10 May 2023 [Page 9] Internet-Draft MVPN Upstream DF Selection November 2022 BFD session are introduced as follows. The source IP of the BFD session uses a local configured IP address of the corresponding multicast VRF. The destination IP is extracted from the Source IP TLV of BFD Discriminator Attribute carried in the UMH route sent by the IDF. MD is filled with the MD feild of BFD Discriminator Attribute carried in VPN routes originated by current Standby IDF. The YD(Your Discriminator) of the BFD session is dynamically learned through the BFD initialization procedure. Upon the occasion of the failure, the status of the BFD session goes down. The Standby IDF PE of the C-Gs selecting the failure / affected node as IDF takes over the primary role and sends the multicast traffic belonging to C-Gs to leaf PEs through the backbone. The failure / affected PE withdraws its VPN route advertised before, this will re-trigger the procedure described in section 5.1.3.2 and a new IDF PE (which was the old Standby IDF PE) and Standby IDF PE will be selected. If the previous failure node / link goes up again or a new multi- homed PE of the specified multicast source is coming up and the IDF PE is calculated to be changed, the new IDF will take over the running IDF. To avoid data transfer crash, the running IDF (That should be the new Standby IDF) dose not trigger the establishment of BFD session with new IDF until the local configured failback time expires, during which it keeps the IDF role and waits the new IDF completing the establishment of the multicast path from the SDR of the specified multicast source to itself. Upon the occasion of BFD session goes up, the running IDF stops sending multicast traffic to leaf PEs and the new IDF takes over the IDF role to send multicast stream for (C-S, C-G). 5.2. Data Forwarding 5.2.1. Procedure on Root PEs For the Passive IDF Negotiation Mode, the set of leaves of P-Tunnel rooted at each multi-homed PE has the others as members if the others have local reveivers willing to accept the corresponding C-Flow. The detailed signaling procedure is described in section 5.1.2. When CE sends multicast data performing load balance to only one root PE (Which is the Passive IDF), IDF send this multicast traffic to the leaf PEs and the other multi-homed root PEs. when the multi-homed root PEs receive the C-Flow, it MUST perform anycast RPF checking, by accepting the data from either the client facing interface learning the corresponding route of the multicast source or anyone of the P-Tunnels rooted at the other multi-homed PEs. To avoid multicast traffic loop and duplication, the data received from the P-Tunnels at each root PE MUST NOT send back to P-Tunnels again and can only be Duan & Chen Expires 10 May 2023 [Page 10] Internet-Draft MVPN Upstream DF Selection November 2022 forwarded to the local receivers of the receiving PE. For the Active IDF Negotiation Mode, each multi-homed root PE receives a copy of C-Flow and forwards the multicast traffic to its local receivers. Only DF can send data to leaf PEs through backbone. All of the multi-homed root PEs perform RPF cheking by matching their client facing interface exactly. 5.2.2. Procedure on Leaf PEs For either of the two IDF negotiation modes described in this document, leaf PEs install each P-Tunnel rooted at each multi-homed root PE into the anycast RPF checklist for the corresponding multicast flow (C-S, C-G), thus the multicast data sent by each of the multi-homed root PEs can be accepted by leaf PEs. Upon the failure of IDF, the Standby IDF takes over the primary role and leaf PEs are ready to receive the data sent by the new primary IDF with no latency thanks to the anycast RPF checking mechanism. 5.3. Distinguishing UMH and C-multicast Routes // To do. 5.4. Segmented Inter-AS Scenario // To do. 6. Security Considerations This document follows the security considerations specified in [RFC6513] and [RFC6514]. 7. IANA Considerations This document defines a new BGP Community called IDF negotiation Community, of which the value will be allocated from IANA for each negotiation mode individually. The BFD Discriminator Attribute defined in [RFC9026] is reused and the value of BFD Mode is recommend to be 2 in this document, which will be review by IANA. 8. Acknowledgements The authors wish to thank Jingrong Xie, for his reviews, comments and suggestions. 9. Normative References Duan & Chen Expires 10 May 2023 [Page 11] Internet-Draft MVPN Upstream DF Selection November 2022 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended Communities Attribute", RFC 4360, DOI 10.17487/RFC4360, February 2006, . [RFC5798] Nadas, S., Ed., "Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6", RFC 5798, DOI 10.17487/RFC5798, March 2010, . [RFC6513] Rosen, E., Ed. and R. Aggarwal, Ed., "Multicast in MPLS/ BGP IP VPNs", RFC 6513, DOI 10.17487/RFC6513, February 2012, . [RFC6514] Aggarwal, R., Rosen, E., Morin, T., and Y. Rekhter, "BGP Encodings and Procedures for Multicast in MPLS/BGP IP VPNs", RFC 6514, DOI 10.17487/RFC6514, February 2012, . [RFC6515] Aggarwal, R. and E. Rosen, "IPv4 and IPv6 Infrastructure Addresses in BGP Updates for Multicast VPN", RFC 6515, DOI 10.17487/RFC6515, February 2012, . [RFC7524] Rekhter, Y., Rosen, E., Aggarwal, R., Morin, T., Grosclaude, I., Leymann, N., and S. Saad, "Inter-Area Point-to-Multipoint (P2MP) Segmented Label Switched Paths (LSPs)", RFC 7524, DOI 10.17487/RFC7524, May 2015, . [RFC7716] Zhang, J., Giuliano, L., Rosen, E., Ed., Subramanian, K., and D. Pacella, "Global Table Multicast with BGP Multicast VPN (BGP-MVPN) Procedures", RFC 7716, DOI 10.17487/RFC7716, December 2015, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC9026] Morin, T., Ed., Kebler, R., Ed., and G. Mirsky, Ed., "Multicast VPN Fast Upstream Failover", RFC 9026, DOI 10.17487/RFC9026, April 2021, . Duan & Chen Expires 10 May 2023 [Page 12] Internet-Draft MVPN Upstream DF Selection November 2022 Authors' Addresses Fanghong Duan Huawei Technologies Email: duanfanghong@huawei.com Siyu Chen Huawei Technologies Email: chensiyu27@huawei.com Duan & Chen Expires 10 May 2023 [Page 13]