Re: [bess] WG Last Call for draft-ietf-bess-evpn-inter-subnet-forwarding-03

"Jeffrey (Zhaohui) Zhang" <> Fri, 17 February 2017 18:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 00AEE129A62 for <>; Fri, 17 Feb 2017 10:42:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UoVsN9NlIojE for <>; Fri, 17 Feb 2017 10:42:49 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 04110129415 for <>; Fri, 17 Feb 2017 10:42:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=H6PHAXD5kTGNZjvsaG/VZ4/RJZv06Qh9doyEvaTGE2Q=; b=OlWzEEF8HoRLlrX4wqf1sVbdYb/c38AveQ5gCJ+amQY/NEtAIWqikDIxzSVXLNscEs+xPyJD55sXDzXi5cqbnT5LoJJ0wnbXjtkTOhDsovAT04oqkWXFzvh+1KB6y+kVfWHR+zA+8Hi6rIRRiTdiw7b4eTulEkeGRaOYT9Wvvig=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.10; Fri, 17 Feb 2017 18:42:47 +0000
Received: from ([]) by ([]) with mapi id 15.01.0919.013; Fri, 17 Feb 2017 18:42:48 +0000
From: "Jeffrey (Zhaohui) Zhang" <>
To: Martin Vigoureux <>, BESS <>
Thread-Topic: [bess] WG Last Call for draft-ietf-bess-evpn-inter-subnet-forwarding-03
Thread-Index: AQHShkWa59vApEY6fkGMs0oECnFJv6FtiuZQ
Date: Fri, 17 Feb 2017 18:42:47 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 1bd7399b-599f-4d1f-d54e-08d45764c516
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:DM5PR05MB3146;
x-microsoft-exchange-diagnostics: 1; DM5PR05MB3146; 7:VJCrVBdsAXDOgmj3ie05RxSJ34C7cw7QJPTZFnX0S/ETMK7GUcjlurYZ8YA42BR3QZ1UH3MqQqb4uCj/p7JQy2QG5DvZMYq7JcW6sp6wDief2V0/+bySdPyAU+gixLha0N4MeBH3sFkiZhSAprT9AMB/fKrushFO8mfKR0bgy+qAZaz14g+Q7fZNqcYKzXLhjpzi8G+4lhqoUSnkYsXMB+hk133/tbArSA7kQVGgvsy1lGaXOqohaJkwwrvu23Yy4/XPWoqMqNSVeb9tCnTxH7ZIhnUa4aImfqx02FsP23KwAN/ro5JxIUPrsuZelaZi1Fudy/inBup2v+Q637wGPA==
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(278428928389397)(120809045254105)(192374486261705)(788757137089);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(6041248)(20161123560025)(20161123564025)(20161123555025)(20161123562025)(20161123558025)(6072148); SRVR:DM5PR05MB3146; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB3146;
x-forefront-prvs: 02213C82F8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39450400003)(39410400002)(39860400002)(39850400002)(39840400002)(13464003)(199003)(189002)(377454003)(2900100001)(102836003)(3846002)(6116002)(5660300001)(7736002)(7696004)(5890100001)(68736007)(8936002)(189998001)(2950100002)(74316002)(92566002)(3660700001)(81166006)(53936002)(81156014)(122556002)(97736004)(2906002)(3280700002)(50986999)(33656002)(105586002)(101416001)(6436002)(66066001)(38730400002)(106356001)(230783001)(106116001)(6306002)(54356999)(76176999)(9686003)(25786008)(305945005)(86362001)(77096006)(229853002)(6246003)(99286003)(6506006)(55016002)(53546006); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB3146;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Feb 2017 18:42:48.0045 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB3146
Archived-At: <>
Subject: Re: [bess] WG Last Call for draft-ietf-bess-evpn-inter-subnet-forwarding-03
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Feb 2017 18:42:51 -0000


I have the following nits/questions/comments. This email is only about the asymmetric section  - I may send another one about symmetric section.

"inter-subnet switching" is confusing. Shouldn't it be "inter-subnet routing" instead of "intra-subnet switching"? While it's EVPN aware, it still goes through routing first.

Isn't requirement R1 covered by R2?

   This is an environment where all NVEs to which an EVPN instance could
   potentially be attached (or moved)

Strike the "(or moved)"?

>From RFC 7432:

10.1.  Default Gateway
   The IP Address field of the MAC/IP Advertisement route is set to the
   default gateway IP address for that subnet (e.g., an EVPN instance).
   For a given subnet (e.g., a VLAN or EVPN instance), the default
   gateway IP address is the same across all the participant PEs. The
   inclusion of this IP address enables the receiving PE to check its
   configured default gateway IP address against the one received in the
   MAC/IP Advertisement route for that subnet (or EVPN instance), and if
   there is a discrepancy, then the PE SHOULD notify the operator and
   log an error message.

This draft:

   2. Each NVE of a given EVPN instance uses its own default gateway IP
   and MAC addresses, and these addresses are aliased to the same
   conceptual gateway through the use of the Default Gateway extended
   community as specified in [EVPN], which is carried in the EVPN MAC
   Advertisement routes. On each NVE, this default gateway IP/MAC
   address correspond to the IRB interface connecting the MAC-VRF of
   that EVI to the corresponding IP-VRF.

The above 2nd model seems to be conflicting with RFC 7432? Also, what does "this default gateway" refer to? Each NVE's "own default gateway" or "the same conceptual gateway"?
Is it that besides their own default gateway, an additional common gateway is advertised using that extended community? If so, what's the purpose to call those different IP addresses on the IRB interfaces "default gateway"? I assume the hosts will be using the common gateway address?

   It is worth noting that if the applications that are running on the
   TS's are employing or relying on any form of MAC security, then the
   first model (i.e. using anycast addresses) would be required to
   ensure that the applications receive traffic from the same source MAC
   address that they are sending to.

Why is that? As long as an NVE changes the source MAC to the one it sends in the ARP reply, it should work even with the 2nd model?

3.2 Heterogeneous Environment

   .. Even though policies
   among multiple subnets belonging to same tenant can be simpler,


   ... Therefore, there can be a mixed environment where an NVE
   performs inter-subnet switching for some EVPN instances and the L3GW
   for others.

For the above sentence, it helps a lot if the last part reads "and the L3GW performs inter-subnet switching for other EVPN instances".

4.1 Among EVPN NVEs within a DC

   ... It also rewrites the source MAC address with its IRB
   Interface MAC address.

Need to make it clear that the above mentioned IRB interface is for the destination subnet. Same issue in 4.2.

For section 4.2, the processing on the ingress and egress NVE is no different from 4.1; the processing on the ASBRs is vanilla EVPN forwarding and not specific to inter-subnet forwarding at all; therefore, 4.2 is not really needed? Additionally, the section is about "w/o GW", yet the text talks about ingress/egress Gateway. It's better to replace Gateway with ASBRs.

4.3 Among EVPN NVEs in Different DCs with GW

   ... It also rewrites the
   source MAC address with its own IRB Interface MAC address.

Similar to 4.1, the above needs to be clear that it's the IRB interface for the subnet between the NVE and the GW. More below on this.

   ... This implies that the GW1 needs to keep the remote
   host MAC addresses along with the corresponding EVPN labels in the
   adjacency entries of the IP-VRF table (i.e., its ARP table).	

Does that mean GW1 needs to keep all type-2 IP/MAC addresses that GW2 learns from NVEs in DC2? Also does that mean GW1 and GW2 must be attached to all subnets? If so, between the source NVE and its local GW, when the source NVE route the traffic to the GW, I assume it's the destination subnet's IRB interface's mac address that will be used as the source mac address, and GW1's IRB mac address for the destination subnet is used as the dst mac address. It is true that an NVE may have the same system mac address for all its IRB interfaces, but it's good to point out which IRB is used (and if different IRB mac address is used, things will still work out).

Also, while each subnet is attached to each NVE, the IP routing process (e.g. TTL decrement) happens twice - first on the source NVE and then on the source GW. That's probably OK, but better point out all these details.

4.5 Use of Centralized Gateway

   In this scenario, the NVEs within a given data center need to forward
   traffic in L2 to a centralized L3GW for a number of reasons: a) they
   don't have IRB capabilities or b) they don't have required policy for
   switching traffic between different tenants or security zones.

For b), do we configure IRB on those non-centralized gateways at all? I assume not (even though the NVE could support IRB) - It's better to be clear.

I'll send a follow up email about the symmetric section.



> -----Original Message-----
> From: BESS [] On Behalf Of Martin Vigoureux
> Sent: Monday, February 13, 2017 5:07 PM
> To: BESS <>
> Subject: [bess] WG Last Call for draft-ietf-bess-evpn-inter-subnet-forwarding-03
> Hello Working Group,
> This email starts a Working Group Last Call on
> draft-ietf-bess-evpn-inter-subnet-forwarding-03 [1] which is considered
> mature and ready for a final working group review.
> Note that this call is longer than usual because we are pushing two
> correlated documents together.
> Please read this document if you haven't read the most recent
> version yet, and send your comments to the list, no later than
> *5th of March*.
> Note that this is *not only* a call for comments on the document; it is
> also a call for support (or not) to publish this document as a Proposed
> Standard RFC.
> *Coincidentally*, we are also polling for knowledge of any IPR that
> applies to draft-ietf-bess-evpn-inter-subnet-forwarding, to ensure that
> IPR has been disclosed in compliance with IETF IPR rules (see RFCs 3979,
> 4879, 3669 and 5378 for more details).
> *If* you are listed as a document author or contributor of
> draft-ietf-bess-evpn-inter-subnet-forwarding-03 please respond to this
> email and indicate whether or not you are aware of any relevant IPR.
> Note that, as of today, no IPR has been disclosed against this document
> or its earlier versions.
> We are also polling for knowledge of implementations of part or all of
> what this document specifies. This information is expected as per [2].
> Please inform the mailing list, or the chairs, or only one of the chairs.
> Thank you,
> M&T
> [1]
> [2]
> _______________________________________________
> BESS mailing list