< draft-ietf-bfd-vxlan-09.txt | draft-ietf-bfd-vxlan-10.txt > | |||
---|---|---|---|---|
BFD S. Pallagatti, Ed. | BFD S. Pallagatti, Ed. | |||
Internet-Draft VMware | Internet-Draft VMware | |||
Intended status: Standards Track S. Paragiri | Intended status: Standards Track S. Paragiri | |||
Expires: June 1, 2020 Individual Contributor | Expires: June 19, 2020 Individual Contributor | |||
V. Govindan | V. Govindan | |||
M. Mudigonda | M. Mudigonda | |||
Cisco | Cisco | |||
G. Mirsky | G. Mirsky | |||
ZTE Corp. | ZTE Corp. | |||
November 29, 2019 | December 17, 2019 | |||
BFD for VXLAN | BFD for VXLAN | |||
draft-ietf-bfd-vxlan-09 | draft-ietf-bfd-vxlan-10 | |||
Abstract | Abstract | |||
This document describes the use of the Bidirectional Forwarding | This document describes the use of the Bidirectional Forwarding | |||
Detection (BFD) protocol in point-to-point Virtual eXtensible Local | Detection (BFD) protocol in point-to-point Virtual eXtensible Local | |||
Area Network (VXLAN) tunnels forming up an overlay network. | Area Network (VXLAN) tunnels forming up an overlay network. | |||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on June 1, 2020. | This Internet-Draft will expire on June 19, 2020. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
skipping to change at page 3, line 8 ¶ | skipping to change at page 3, line 8 ¶ | |||
hypervisors. However, the concepts are equally applicable to non- | hypervisors. However, the concepts are equally applicable to non- | |||
virtualized hosts attached to VTEPs in switches. | virtualized hosts attached to VTEPs in switches. | |||
In the absence of a router in the overlay, a VM can communicate with | In the absence of a router in the overlay, a VM can communicate with | |||
another VM only if they are on the same VXLAN segment. VMs are | another VM only if they are on the same VXLAN segment. VMs are | |||
unaware of VXLAN tunnels as a VXLAN tunnel is terminated on a VTEP. | unaware of VXLAN tunnels as a VXLAN tunnel is terminated on a VTEP. | |||
VTEPs are responsible for encapsulating and decapsulating frames | VTEPs are responsible for encapsulating and decapsulating frames | |||
exchanged among VMs. | exchanged among VMs. | |||
Ability to monitor path continuity, i.e., perform proactive | The ability to monitor path continuity, i.e., perform proactive | |||
continuity check (CC) for point-to-point (p2p) VXLAN tunnels, is | continuity check (CC) for point-to-point (p2p) VXLAN tunnels, is | |||
important. The asynchronous mode of BFD, as defined in [RFC5880], is | important. The asynchronous mode of BFD, as defined in [RFC5880], is | |||
used to monitor a p2p VXLAN tunnel. | used to monitor a p2p VXLAN tunnel. | |||
In the case where a Multicast Service Node (MSN) (as described in | In the case where a Multicast Service Node (MSN) (as described in | |||
Section 3.3 of [RFC8293]) resides behind a Network Virtualization | Section 3.3 of [RFC8293]) resides behind a Network Virtualization | |||
Endpoint (NVE), the mechanisms described in this document apply and | Endpoint (NVE), the mechanisms described in this document apply and | |||
can, therefore, be used to test the connectivity from the source NVE | can, therefore, be used to test the connectivity from the source NVE | |||
to the MSN. | to the MSN. | |||
skipping to change at page 5, line 11 ¶ | skipping to change at page 5, line 11 ¶ | |||
+--------------------------+ | +--------------------------+ | |||
Figure 1: Reference VXLAN Domain | Figure 1: Reference VXLAN Domain | |||
At the same time, a service layer BFD session may be used between the | At the same time, a service layer BFD session may be used between the | |||
tenants of VTEPs IP1 and IP2 to provide end-to-end fault management. | tenants of VTEPs IP1 and IP2 to provide end-to-end fault management. | |||
In such case, for VTEPs BFD Control packets of that session are | In such case, for VTEPs BFD Control packets of that session are | |||
indistinguishable from data packets. | indistinguishable from data packets. | |||
As per Section 4, the inner destination IP address SHOULD be set to | As per Section 4, the inner destination IP address SHOULD be set to | |||
one of the loopback addresses (127/8 range for IPv4 and | one of the loopback addresses from 127/8 range for IPv4 or to one of | |||
0:0:0:0:0:FFFF:7F00:0/104 range for IPv6). There could be a firewall | IPv4-mapped IPv4 loopback addresses from ::ffff:127.0.0.0/104 range | |||
configured on VTEP to block loopback addresses if set as the | for IPv6. There could be a firewall configured on VTEP to block | |||
destination IP in the inner IP header. It is RECOMMENDED to allow | loopback addresses if set as the destination IP in the inner IP | |||
addresses from the loopback range through a firewall only if it is | header. It is RECOMMENDED to allow addresses from the loopback range | |||
used as the destination IP address in the inner IP header, and the | through a firewall only if it is used as the destination IP address | |||
destination UDP port is set to 3784 [RFC5881]. | in the inner IP header, and the destination UDP port is set to 3784 | |||
[RFC5881]. | ||||
4. BFD Packet Transmission over VXLAN Tunnel | 4. BFD Packet Transmission over VXLAN Tunnel | |||
BFD packet MUST be encapsulated and sent to a remote VTEP as | BFD packets MUST be encapsulated and sent to a remote VTEP as | |||
explained in this section. Implementations SHOULD ensure that the | explained in this section. Implementations SHOULD ensure that the | |||
BFD packets follow the same lookup path as VXLAN data packets within | BFD packets follow the same lookup path as VXLAN data packets within | |||
the sender system. | the sender system. | |||
BFD packets are encapsulated in VXLAN as described below. The VXLAN | BFD packets are encapsulated in VXLAN as described below. The VXLAN | |||
packet format is defined in Section 5 of [RFC7348]. The Outer IP/UDP | packet format is defined in Section 5 of [RFC7348]. The Outer IP/UDP | |||
and VXLAN headers MUST be encoded by the sender as defined in | and VXLAN headers MUST be encoded by the sender as defined in | |||
[RFC7348]. | [RFC7348]. | |||
0 1 2 3 | 0 1 2 3 | |||
skipping to change at page 7, line 18 ¶ | skipping to change at page 7, line 18 ¶ | |||
configured, or it MAY be learned via a control plane protocol. | configured, or it MAY be learned via a control plane protocol. | |||
The details of how the MAC address is obtained are outside the | The details of how the MAC address is obtained are outside the | |||
scope of this document. | scope of this document. | |||
Source MAC: MAC address associated with the originating VTEP | Source MAC: MAC address associated with the originating VTEP | |||
IP header: | IP header: | |||
Destination IP: IP address MUST NOT be of one of tenant's IP | Destination IP: IP address MUST NOT be of one of tenant's IP | |||
addresses. The IP address SHOULD be selected from the range | addresses. The IP address SHOULD be selected from the range | |||
127/8 for IPv4, for IPv6 - from the range | 127/8 for IPv4, for IPv6 - from the range ::ffff:127.0.0.0/104. | |||
0:0:0:0:0:FFFF:7F00:0/104. Alternatively, the destination IP | Alternatively, the destination IP address MAY be set to VTEP's | |||
address MAY be set to VTEP's IP address. | IP address. | |||
Source IP: IP address of the originating VTEP. | Source IP: IP address of the originating VTEP. | |||
TTL or Hop Limit: MUST be set to 1 to ensure that the BFD | TTL or Hop Limit: MUST be set to 1 to ensure that the BFD | |||
packet is not routed within the Layer 3 underlay network. This | packet is not routed within the Layer 3 underlay network. This | |||
addresses the scenario when the inner IP destination address is | addresses the scenario when the inner IP destination address is | |||
of VXLAN gateway and there is a router in underlay which | of VXLAN gateway and there is a router in underlay which | |||
removes the VXLAN header, then it is possible to route the | removes the VXLAN header, then it is possible to route the | |||
packet as VXLAN gateway address is routable address. | packet as VXLAN gateway address is routable address. | |||
skipping to change at page 8, line 52 ¶ | skipping to change at page 8, line 52 ¶ | |||
The document requires setting the inner IP TTL to 1, which could be | The document requires setting the inner IP TTL to 1, which could be | |||
used as a DDoS attack vector. Thus the implementation MUST have | used as a DDoS attack vector. Thus the implementation MUST have | |||
throttling in place to control the rate of BFD Control packets sent | throttling in place to control the rate of BFD Control packets sent | |||
to the control plane. On the other hand, over-aggressive throttling | to the control plane. On the other hand, over-aggressive throttling | |||
of BFD Control packets may become the cause of the inability to form | of BFD Control packets may become the cause of the inability to form | |||
and maintain BFD session at scale. Hence, throttling of BFD Control | and maintain BFD session at scale. Hence, throttling of BFD Control | |||
packets SHOULD be adjusted to permit BFD to work according to its | packets SHOULD be adjusted to permit BFD to work according to its | |||
procedures. | procedures. | |||
This document recommends using an address from the Internal host | This document recommends using an address from the Internal host | |||
loopback addresses (127/8 range for IPv4 and | loopback addresses 127/8 range for IPv4 or an IP4-mapped IPv4 | |||
0:0:0:0:0:FFFF:7F00:0/104 range for IPv6) as the destination IP | loopback address from ::ffff:127.0.0.0/104 range for IPv6 as the | |||
address in the inner IP header. Using such address prevents the | destination IP address in the inner IP header. Using such address | |||
forwarding of the encapsulated BFD control message by a transient | prevents the forwarding of the encapsulated BFD control message by a | |||
node in case the VXLAN tunnel is broken as according to [RFC1812]: | transient node in case the VXLAN tunnel is broken as according to | |||
[RFC1812]: | ||||
A router SHOULD NOT forward, except over a loopback interface, any | A router SHOULD NOT forward, except over a loopback interface, any | |||
packet that has a destination address on network 127. A router | packet that has a destination address on network 127. A router | |||
MAY have a switch that allows the network manager to disable these | MAY have a switch that allows the network manager to disable these | |||
checks. If such a switch is provided, it MUST default to | checks. If such a switch is provided, it MUST default to | |||
performing the checks. | performing the checks. | |||
If the implementation supports establishing multiple BFD sessions | If the implementation supports establishing multiple BFD sessions | |||
between the same pair of VTEPs, there SHOULD be a mechanism to | between the same pair of VTEPs, there SHOULD be a mechanism to | |||
control the maximum number of such sessions that can be active at the | control the maximum number of such sessions that can be active at the | |||
End of changes. 9 change blocks. | ||||
21 lines changed or deleted | 23 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |