BFD for VXLAN
draft-ietf-bfd-vxlan-06
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8971.
|
|
|---|---|---|---|
| Authors | Santosh Pallagatti , Sudarsan Paragiri , Vengada Prasad Govindan , Mallik Mudigonda, Greg Mirsky | ||
| Last updated | 2019-05-02 (Latest revision 2018-12-26) | ||
| Replaces | draft-spallagatti-bfd-vxlan | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews |
GENART Telechat review
(of
-09)
by Erik Kline
Ready w/nits
TSVART Last Call review
(of
-07)
by Olivier Bonaventure
Ready w/issues
GENART Last Call review
(of
-07)
by Erik Kline
On the Right Track
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Jeffrey Haas | ||
| Shepherd write-up | Show Last changed 2019-01-02 | ||
| IESG | IESG state | Became RFC 8971 (Informational) | |
| Consensus boilerplate | Yes | ||
| Telechat date | (None) | ||
| Responsible AD | Martin Vigoureux | ||
| Send notices to | Jeffrey Haas <jhaas@pfrc.org> |
draft-ietf-bfd-vxlan-06
4. Deployment Figure 1 illustrates the scenario with two servers, each of them hosting two VMs. The servers host VTEPs that terminate two VXLAN tunnels with VNI number 100 and 200 respectively. Separate BFD sessions can be established between the VTEPs (IP1 and IP2) for monitoring each of the VXLAN tunnels (VNI 100 and 200). The implementation SHOULD have a reasonable upper bound on the number of BFD sessions that can be created between the same pair of VTEPs. No BFD packets intended for a Hypervisor VTEP should be forwarded to a VM as a VM may drop BFD packets leading to a false negative. This method is applicable whether the VTEP is a virtual or physical device. Pallagatti, et al. Expires June 29, 2019 [Page 5] Internet-Draft BFD for VXLAN December 2018 +------------+-------------+ | Server 1 | | | | +----+----+ +----+----+ | | |VM1-1 | |VM1-2 | | | |VNI 100 | |VNI 200 | | | | | | | | | +---------+ +---------+ | | Hypervisor VTEP (IP1) | +--------------------------+ | | | | +-------------+ | | Layer 3 | |---| Network | | | +-------------+ | | +-----------+ | | +------------+-------------+ | Hypervisor VTEP (IP2) | | +----+----+ +----+----+ | | |VM2-1 | |VM2-2 | | | |VNI 100 | |VNI 200 | | | | | | | | | +---------+ +---------+ | | Server 2 | +--------------------------+ Figure 1: Reference VXLAN domain 5. BFD Packet Transmission over VXLAN Tunnel BFD packet MUST be encapsulated and sent to a remote VTEP as explained in Section 5.1. Implementations SHOULD ensure that the BFD packets follow the same lookup path as VXLAN data packets within the sender system. Pallagatti, et al. Expires June 29, 2019 [Page 6] Internet-Draft BFD for VXLAN December 2018 5.1. BFD Packet Encapsulation in VXLAN BFD packets are encapsulated in VXLAN as described below. The VXLAN packet format is defined in Section 5 of [RFC7348]. The Outer IP/UDP and VXLAN headers MUST be encoded by the sender as defined in [RFC7348]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Outer Ethernet Header ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Outer IPvX Header ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Outer UDP Header ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ VXLAN Header ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Inner Ethernet Header ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Inner IPvX Header ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Inner UDP Header ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ BFD Control Message ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FCS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: VXLAN Encapsulation of BFD Control Message Pallagatti, et al. Expires June 29, 2019 [Page 7] Internet-Draft BFD for VXLAN December 2018 The BFD packet MUST be carried inside the inner MAC frame of the VXLAN packet. The inner MAC frame carrying the BFD payload has the following format: Ethernet Header: Destination MAC: This MUST be the dedicated MAC TBA (Section 9) or the MAC address of the destination VTEP. The details of how the MAC address of the destination VTEP is obtained are outside the scope of this document. Source MAC: MAC address of the originating VTEP IP header: Source IP: IP address of the originating VTEP. Destination IP: IP address of the terminating VTEP. TTL: MUST be set to 1 to ensure that the BFD packet is not routed within the L3 underlay network. The fields of the UDP header and the BFD control packet are encoded as specified in [RFC5881] for p2p VXLAN tunnels. 6. Reception of BFD packet from VXLAN Tunnel Once a packet is received, VTEP MUST validate the packet as described in Section 4.1 of [RFC7348]. If the Destination MAC of the inner MAC frame matches the dedicated MAC or the MAC address of the VTEP the packet MUST be processed further. The UDP destination port and the TTL of the inner IP packet MUST be validated to determine if the received packet can be processed by BFD. BFD packet with inner MAC set to VTEP or dedicated MAC address MUST NOT be forwarded to VMs. To ensure BFD detects the proper configuration of VXLAN Network Identifier (VNI) in a remote VTEP, a lookup SHOULD be performed with the MAC-DA and VNI as key in the Virtual Forwarding Instance (VFI) table of the originating/terminating VTEP to exercise the VFI associated with the VNI. 6.1. Demultiplexing of the BFD packet Demultiplexing of IP BFD packet has been defined in Section 3 of [RFC5881]. Since multiple BFD sessions may be running between two VTEPs, there needs to be a mechanism for demultiplexing received BFD Pallagatti, et al. Expires June 29, 2019 [Page 8] Internet-Draft BFD for VXLAN December 2018 packets to the proper session. The procedure for demultiplexing packets with Your Discriminator equal to 0 is different from [RFC5880]. For such packets, the BFD session MUST be identified using the inner headers, i.e., the source IP, the destination IP, and the source UDP port number present in the IP header carried by the payload of the VXLAN encapsulated packet. The VNI of the packet SHOULD be used to derive interface-related information for demultiplexing the packet. If BFD packet is received with non-zero Your Discriminator, then BFD session MUST be demultiplexed only with Your Discriminator as the key. 7. Use of reserved VNI In most cases, a single BFD session is sufficient for the given VTEP to monitor the reachability of a remote VTEP, regardless of the number of VNIs in common. When the single BFD session is used to monitor reachability of the remote VTEP, an implementation SHOULD use a VNI of 0. 8. Echo BFD Support for echo BFD is outside the scope of this document. 9. IANA Considerations IANA has assigned TBA as a dedicated MAC address from the IANA 48-bit unicast MAC address registry to be used as the Destination MAC address of the inner Ethernet of VXLAN when carrying BFD control packets. 10. Security Considerations The document requires setting the inner IP TTL to 1 which could be used as a DDoS attack vector. Thus the implementation MUST have throttling in place to control the rate of BFD control packets sent to the control plane. Throttling MAY be relaxed for BFD packets based on port number. The implementation SHOULD have a reasonable upper bound on the number of BFD sessions that can be created between the same pair of VTEPs. Other than inner IP TTL set to 1 and limit the number of BFD sessions between the same pair of VTEPs, this specification does not raise any additional security issues beyond those of the specifications referred to in the list of normative references. Pallagatti, et al. Expires June 29, 2019 [Page 9] Internet-Draft BFD for VXLAN December 2018 11. Contributors Reshad Rahman rrahman@cisco.com Cisco 12. Acknowledgments Authors would like to thank Jeff Haas of Juniper Networks for his reviews and feedback on this material. Authors would also like to thank Nobo Akiya, Marc Binderberger, Shahram Davari, Donald E. Eastlake 3rd, and Anoop Ghanwani for the extensive reviews and the most detailed and helpful comments. 13. References 13.1. Normative References [I-D.ietf-bfd-multipoint] Katz, D., Ward, D., Networks, J., and G. Mirsky, "BFD for Multipoint Networks", draft-ietf-bfd-multipoint-19 (work in progress), December 2018. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, <https://www.rfc-editor.org/info/rfc5880>. [RFC5881] Katz, D. and D. Ward, "Bidirectional Forwarding Detection (BFD) for IPv4 and IPv6 (Single Hop)", RFC 5881, DOI 10.17487/RFC5881, June 2010, <https://www.rfc-editor.org/info/rfc5881>. [RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, L., Sridhar, T., Bursell, M., and C. Wright, "Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014, <https://www.rfc-editor.org/info/rfc7348>. Pallagatti, et al. Expires June 29, 2019 [Page 10] Internet-Draft BFD for VXLAN December 2018 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. 13.2. Informational References [RFC8293] Ghanwani, A., Dunbar, L., McBride, M., Bannai, V., and R. Krishnan, "A Framework for Multicast in Network Virtualization over Layer 3", RFC 8293, DOI 10.17487/RFC8293, January 2018, <https://www.rfc-editor.org/info/rfc8293>. [RFC8365] Sajassi, A., Ed., Drake, J., Ed., Bitar, N., Shekhar, R., Uttaro, J., and W. Henderickx, "A Network Virtualization Overlay Solution Using Ethernet VPN (EVPN)", RFC 8365, DOI 10.17487/RFC8365, March 2018, <https://www.rfc-editor.org/info/rfc8365>. Authors' Addresses Santosh Pallagatti (editor) Rtbrick Email: santosh.pallagatti@gmail.com Sudarsan Paragiri Juniper Networks 1194 N. Mathilda Ave. Sunnyvale, California 94089-1206 USA Email: sparagiri@juniper.net Vengada Prasad Govindan Cisco Email: venggovi@cisco.com Mallik Mudigonda Cisco Email: mmudigon@cisco.com Pallagatti, et al. Expires June 29, 2019 [Page 11] Internet-Draft BFD for VXLAN December 2018 Greg Mirsky ZTE Corp. Email: gregimirsky@gmail.com Pallagatti, et al. Expires June 29, 2019 [Page 12]