Hi Jeff, thank you for providing continued support and guidance. Please find my notes in-lined under tag GIM>>. Attached are the new working version and its diff to -12. There are two remaining Open Issues - 7 and 9. I much appreciate your considerations and suggestions.
Regards, Greg On Tue, Jun 16, 2020 at 2:01 PM Jeffrey Haas <jh...@pfrc.org> wrote: > [Apologies on further delay. The best way to cause unexpected work is to > offer a personal deadline to have something done.] > > Greg and the IESG, > > This update is vs. version -12 of the draft. > > General summary: Almost ready to go. Multiple issues are resolved. > Pending > items flagged here should be addressed. Once addressed, we'll ask the IESG > to take this up again. > > On Mon, Jan 27, 2020 at 05:17:05PM -0500, Jeffrey Haas wrote: > > Much like the BFD Working Group discussion on the BFD for vxlan feature, > the > > IESG review for the draft has reached a stage where it is difficult to > > determine what the related actions are. (IESG take note for tools > > discussion!) > > > > This email is an attempt to kick the conversation back into gear. > > > > My notes here are based on the current status of the document tracked > here: > > https://datatracker.ietf.org/doc/draft-ietf-bfd-vxlan/ballot/ > > > > My comments on the draft are based on the -10 version of the draft as > > currently published. > > > > --- > > > > Open Issue 1: Discussion on TTL/Hop Limit = 1 > > > > Proposed Action: Greg has proposed text he will send to the working group > > suggesting GTSM procedures be utilized. The expected concern is how this > > impacts existing implementations. > > This issue is resolved. > > > > > --- > > > > Open Issue 2: Document Status should be Informational rather than > Proposed > > Standard. > > > > Proposed Action: Greg should make the document Informational. Prior WG > > discussion suggested that we don't really care what level it should be > at, > > and had actually requested IESG guidance long ago via our AD. > > This action is pending. > GIM>> Done > > > --- > > > > Open Issue 3: dst IP/MAC assignment procedures for inner VXLAN headers. > > (DISCUSS via Benjamin K.) Specifically per-VNI form rather than strictly > > VTEP-to-VTEP mode. > > > > Issue Comment 1 (Benjamin K.): This is "a namespace grab in what is > > essentially the tenant's namespace". > > > > Issue Comment 2 (Jeff H.): Joel Halpern flagged this repeatedly as well > as > > part of directorate review. > > > > Issue Comment 3 (Benjamin K.): "management VNI does not suffer from this > > namespacing issue". > > > > Issue Comment 4 (Jeff H./Benjamin K.): The concept of a "management VNI" > is > > not supported by existing standards work, but is accepted as a common > > implementation behavior. > > > > Issue Comment 5: A significant exploration of this set of issues is > > documented in the following thread: > > > https://mailarchive.ietf.org/arch/msg/rtg-bfd/SfXfu3pCh9BxaRFrXbEOgGt6xjE/ > > > > Proposed Action: Limit the Internet-Draft's applicability to verifying > > connectivity to the management VNI. "All other uses of the > specification to > > test toward other vxlan endpoints are out of scope." > > > > In reviewing the thread, my reading of the comments from Santosh, Anoop, > and > > Dinesh are effectively "don't break existing implementations". There is > > acknowledge among those in the discusssion that numbering space > collisions > > between the protocol codepoints chosen to run as endpoints for the BFD > for > > vxlan session and the tenant space are undesirable. It is generally > agreed > > in the thread (IMO) that for the "management VNI" case that this is not > > problematic, although the details of provisioning are still specific to > the > > implementation. > > > > By setting the case aside where a test to a specific VTEP may have tenant > > namespace collisions, the document can be cleaned of a lot of unnecessary > > edge cases that are difficult to generally resolve. Implementations that > > may choose to permit sessions to non-management VNIs will have need to > > resolve how to deal with collisions. > > The suggested action was taken. The document now refers only to the > management VNI, and offers a default value for that VNI number. > This should resolve a significant number of issues. > > > > > --- > > > > Open Issue 4: "multicast service node" text (COMMENT via Benjamin K.) > > > > Proposed Action: Incorporate suggested text from Benjamin K. to clarify > text > > in -10. > > This issue is resolved. > > > --- > > > > Open Issue 5: Comma parsing issue (COMMENT via Benjamin K.) > > > > Proposed Action: Accept Benjamin's suggested changes. (RFC Editor will > win > > the day here though!) > > This action is pending. > GIM>> Followed Benjamin's suggestion and replaced come with "that are": This document describes the use of Bidirectional Forwarding Detection (BFD) protocol to enable monitoring continuity of the path between VXLAN VTEPs that are performing as Network Virtualization Endpoints, and/or availability of a replicator MSN using a Management VNI (Section 4). > > > --- > > > > Open Issue 6: "Section 3, MUST NOT be forwarded to a VM" (COMMENT via > > Benjamin K.) > > > > Proposed Action: The fate of this issue is tied to Open Issue 3. > > If the proposal is limited solely to management VNI, this text is not > > relevant and may be deleted. > > This action is still open. > GIM>> Deleted the sentence. > > > --- > > > > Open Issue 7: "::FFFF:7F00:0/104 IPv6 range" (COMMENT via Benjamin K.) > > > > Proposed Action: I believe this issue's fate is similarly tied to Open > Issue 3. > > If the proposal is limited solely to management VNI, this text is not > > relevant and may be deleted. > > This action is still pending. > GIM>> There are two references to this IPv6 range. I think that the document should give a recommendation on what address to use as the destination IP address. As we've discussed with Adam Roach, only ::ffff: 127.0.0.1/128 has host loopback meaning in IPv6. I propose to change throughout the text from "one of the addresses from IPv6 range" to "::ffff: 127.0.0.1/128 for IPv6". > > > --- > > > > Open Issue 8: "Section 4: MUST ensure that the BFD Control packet is not > > forwarded to a tenant but is processed locally at the remote VTEP" > (COMMENT > > via Benjamin K.) > > > > Proposed Action: I believe this issue's fate is similarly tied to Open > Issue 3. > > If the proposal is limited solely to management VNI, this text is not > > relevant and may be deleted. > > This action is still pending and perhaps requires further discussion. > > Benjamin's point was: > "This has to be 100% reliable, and I think we need to provide some > example mechanism that has that property even if we don't mandate that > it be the only allowed mechanism." > > The motivation here was that when this specification was intended to > address > a fully generalized BFD for vxlan for arbitrary VNIs, there was a strong > need to say "do not forward the BFD traffic to the tenant". > > For the now default scenario of only the management VNI, this text may be > adequate. Benjamin should look at the current document and decide if the > scenario is still of concern. > GIM>> No changes for now. > > > --- > > > > Open Issue 9: "Destination MAC: This MUST NOT be of one of tenant's MAC > > addresses." (COMMENT via Benjamin K.) > > > > Proposed Action: I believe this issue's fate is similarly tied to Open > Issue 3. > > If the proposal is limited solely to management VNI, this text is not > > relevant and may be deleted. > > In -12, we now have the following text: > "Destination MAC: since a Management VNI is the VNI that does > not have any tenants, the value of this field is not analyzed > by the receiving VTEP." > > For the management VNI, this text is true. However, it likely requires a > value that is described in the specification. > > Proposed solution: A MAC value should be chosen that is well known and the > text would become: > > "Destination MAC: A Management VNI, which does not have any tenants, will > have no dedicated MAC address for decapsulated traffic. The value > X:X:X:X:X > SHOULD be used in this field." > > SHOULD might need to be MUST. Since a partial motivation for permitting > the > flexibility in the specification to NOT use the management VNI is desired, > MUST might be inappropriate. > GIM>> Accepted the suggested text. I agree that the flexibility to not use the Management VNI is permitted in the specification and thus SHOULD in the text is consistent with that scenario. How would we pick the MAC address? > > > --- > > > > Open Issue 10: "The details of how the MAC address is obtained are > outside > > the scope of this document." (COMMENT via Benjamin K.) > > > > Proposed Action: None. Reason 1: If we go with only the management VNI, > > provisioning remains an easy answer. Reason 2: If we go with VNI-to-VNI > > mode, it's not unreasonable for the environment to claim a MAC address. > > This is no different than a switch itself. Collisions would be handled > via > > updated configuration. > > This issue is resolved by only describing the management VNI. > > > --- > > > > Open Issue 11: "dst IP header MUST NOT be one of tenant's" (COMMENT via > Benjamin > > K.) > > > > Comment 1 (Jeff H.): The loopback range as a destination would serve to > > catch BFD traffic in either VNI-to-VNI or VTEP-to-VTEP mode. I think > this > > is more clearly understood after the IESG reviewed the existing > mechanisms > > using the loopback address range in existing RFCs. > > > > Proposed Action: I believe this issue's fate is similarly tied to Open > Issue 3. > > If the proposal is limited solely to management VNI, this text is not > > relevant and may be deleted. > > In the current text for -12, the host loopback range serves to provide the > necessary mechanism. Given the restricted scope of the the management VNI, > I believe the unchanged text is sufficient. > GIM>> Thank you. > > > --- > > > > Open Issue 12: "Section 5, BFD dst mac collision with tenant" (COMMENT > via > > Benjamin K.) > > > > Proposed Action: I believe this issue's fate is similarly tied to Open > Issue 3. > > If the proposal is limited solely to management VNI, this text is not > > relevant and may be deleted. > > I believe the text in -12 describing only the management VNI resolves this > issue. > > > --- > > > > Open Issue 13: "The UDP destination port and the TTL of the inner IP > packet > > MUST be validated to determine if the received packet can be processed by > > BFD." (COMMENT via Benjamin K.) > > > > Proposed Action: Provide reference to RFC 5880/5881 sections covering > > existing BFD procedure. Do not copy and paste from them. > > The text in -12 is: > > "Validation of TTL / Hop Limit of the inner IP packet, as long as the > related considerations for BFD control packet demultiplexing and > authentication, is performed as described in Section 5 [RFC5881]." > > This text is slightly awkward English, but I believe covers the intent. > I suggest rewording this to: > > "The received packet's inner IP payload is then validated according to > Sections 4 and 5 in [RFC5881]." > GIM>> This text is the result of my discussion with Carlos. I'm accepting Jeff's proposal and hope Carlos will agree. > > > --- > > > > Open Issue 14: "nits ... then the BFD session" (COMMENT via Benjamin K.) > > > > Proposed Action: Accept grammar correction. > > This issue is no longer relevant in -12. > > > --- > > > > Open Issue 15: "Section 6" (COMMENT via Benjamin K.) > > > > Proposed Action: I believe this issue's fate is similarly tied to Open > Issue 3. > > If the proposal is limited solely to management VNI, this text is not > > relevant and may be deleted. In particular, this section attempts to > > justify VNI-to-VNI mode poorly. > > This issue is no longer relevant in -12. > > > --- > > > > Open Issue 16: "Section 9" regarding mis-forwarding/filtering of BFD > traffic > > toward tenant (COMMENT via Benjamin K.) > > > > Proposed Action: I believe this issue's fate is similarly tied to Open > Issue 3. > > If the proposal is limited solely to management VNI, this text is not > > relevant and may be deleted. > > I believe the new text, describing only the management VNI, obviates this > comment. > > > --- > > > > (Alvaro's DISCUSSes are covered by the above.) > > > > (Alvaro acknowledged that his COMMENTS were cleared on December 25, 2019) > > > > (Eric V's DISCUSS points are covered by prior open points regarding: > > - TTL (see Open Issue 1) > > - Mapped IPv6 addresses were covered in discussion with IESG about > existing > > RFC behavior for this range. > > - The mismatch between document IANA action and shepherd writeup is an > > artifact of document changes since the shepherd writeup had happened.. > > The document currently has no open IANA actions. > > - Section 9 issues about TTL were addressed in -09 of the document.) > > > > --- > > > > Open Issue 17: "RFC 5881 (BFD) states that it applies to IPv4/IPv6 > tunnels, > > may I infer that this document is only required to address the Ethernet > > encapsulation ? I.e. specifying the Ethernet MAC addresses?" (COMMENT > via > > Eric V.) > > > > Comment 1 (Jeff H.): RFC 5881 addresses single-hop "that is associated > with > > an incoming interface". vxlan requires additional demultiplexing based > on > > packet contents and thus the comment is not fully applicable. This > document > > (draft-ietf-bfd-vxlan) is intended to cover the vxlan protocol > encapsulation > > for BFD. > > > > Proposed Action: No action required. > > No action was taken. > > > --- > > > > Open Issue 18: "BFD session per VXLAN VNI" (COMMENT via Eric V.) > > > > Proposed Action: I believe this issue's fate is similarly tied to Open > Issue 3. > > If the proposal is limited solely to management VNI, this text is not > > relevant and may be deleted. > > This issue should be resolved by only describing the management VNI in -12. > > > --- > > > > Open Issue 19: "Section 4...FCS" (COMMENT via Eric V.) > > > > Proposed Action: Accept suggested change to "Outer Ethernet FCS"? > > This action is pending. > GIM>> In Figure 2 s/Outer FCS/Outer Ethernet FCS/ > > > --- > > > > Open Issue 20: "using the src mac as the dst mac" (COMMENT via Eric V.) > > > > Proposed Action: ? I'm unclear what the proposal and comment is here. > > It is unclear what action was requested. > > > --- > > > > (TTL issues noted by Eric V. addressed in Open Issue 1.) > > > > --- > > > > Open Issue 21: "throttling of BFD control packets" (COMMENT via Roman D..) > > > > Proposed Action: The section on throttling is written in a confusing > manner > > and is in need of a re-write. > > > > In particular, what's unclear is what is doing the throttling and why? > If > > the comment is intended to say that some forms of rate-limiting of the > vxlan > > traffic between two systems is in place that it may impact BFD, it should > > say that. And perhaps once said, omit giving "advice". "If it hurts, > don't > > do that." > > These issues were addressed by referring to existing security > considerations > in RFCs 5880, 5881, and 7348. > > > --- > > > > (COMMENTS from Roman D. addressed in -10 and earlier: > > - citing specific security considerations applicability > > - nits > > ) > > > > (COMMENT from Suresh K. covered in open issues above.) > > > > (COMMENT from Warren K. regardig loopback network range discussed above..) > > > > --- > > > > Open Issue 22: "terminology isn't" (COMMENT via Warren K.) > > > > Proposed Action: Either rename the section "acronyms used in this > document" > > or expand the section to cover the terminology. > > This action is still pending. > GIM>> Change the title of the sub-section s/Terminology/Acronyms/ > > > --- > > > > (Mirja K. indirects a number of issues to "See Olivier's TSV-ART review", > > which is present in this message: > > > https://mailarchive.ietf.org/arch/msg/rtg-bfd/y3xDkvpT-ZodhcaBRHNOSDVByA8/ > ) > > > > Open Issue 23: "follow same lookup path needs more explanation" > > > > Proposed Action: Add a sentence explaining that this is to ensure that > the > > encapsulated BFD traffic requires following the equivalent data path to > > protect the resource" > > Section 5 now contains: > "BFD packets MUST be encapsulated and sent to a remote VTEP as > explained in this section. Implementations SHOULD ensure that the > BFD packets follow the same forwarding path as VXLAN data packets > within the sender system." > > I believe this addresses the issue. > > > --- > > > > Open Issue 24: "Discuss ECMP considerations" (TSV-ART via Olivier B.) > > > > Comment 1 (Jeff H.): I believe this came up in the message thread, but > base > > BFD also has similar unclear ECMP behaviors. The working group has > avoided > > trying to standardize anything regarding ECMP since it gets very > > implementation specific. Some vendors will go out of their way to do > things > > to mitigate ECMP considerations when BFD is in place; others simply > ignore > > it. > > > > Proposed Action: Unclear. None? > > No action has been taken here. I believe this is appropriate. > > > --- > > > > (Minor issues report by Olivier B. that have been addressed in -10 or > > earlier: > > - p2p vxlan tunnel wording > > - VNI has been added to section 2.1 > > - "figure 1 could take less space" - not addressed. > > - section 4 flattened to remove unnecessary sub-sections > > - "dedicated mac" address no longer in current versions of document > > - "v4 in v6 / v6 in v4, etc." - intentionally unspecified since > arbitrary > > encapsulations are supported by specification. Implementations may > have > > specific limitations. > > - "section 5 dedicated mac" no longer in the document > > - "decapsulation procedure reference" I believe has been clarified.) > > > > (Mirja's comment on status is covered by Open Issue 2) > > > > (Comments from Barry L. addressed: > > - "forming up" > > - bfd packet/vtep packets/vteps plurality agreement. > > - "may be configured" clarified. > > - Section 4.1 "of") > > > > --- > > > > Open Issue 25: "leading to a false negative" (COMMENT via Barry L.) > > > > Proposed Action: The underlying concern in this sentence is that BFD > packets > > must not be mis-delivered to VMs since there will be no BFD machinery > > present in that VM to execute the BFD procedures and thus sessions will > > drop. Possible action is to simply delete this sentence since it > > prematurely anticipates procedures later described in the document. > > This action is still pending. > GIM>> The sentence is now removed in response to Open Issue 6. > > > > > --- > > > > Open Issue 26: "loopback range through a firewall" (COMMENT via Barry L..) > > > > Proposed Action: Accept suggested rewording. > > This action is still pending. > GIM>> I think that Barry's comment has been already captured in the -12. Barry wrote: It is RECOMMENDED to allow addresses from the loopback range through a firewall only if it is used as the destination IP address in the inner IP header, and the destination UDP port is set to 3784 [RFC5881]. I THINK the antecedent for “it” is meant to be “addresses from the loopback range”, though because of the number mismatch it looks like the antecedent is “a firewall”. One fix is to change “addresses” to “an address”, correcting the number error, but that leaves the ambiguity. Maybe betterto make it “only if they are used as destination IP addresses”. Also, remove the comma.. The current text: It is RECOMMENDED to allow addresses from the loopback range through a firewall only if they are used as the destination IP addresses in the inner IP header and the destination UDP port is set to 3784 [RFC5881]. > > > --- > > > > Open Issue 27: "Section 4...addresses the scenario" (COMMENT via Barry > L.) > > > > Proposed Action: This sentence needs to be reworded. > > This issue is addressed by referring to GTSM mechanisms per other > discussion. > > > --- > > > > (Comments from Adam R. addressed: > > - Form of ipv6 mapped address. > > - Usage of loopback network addresses compared to prior RFCs discussed > in > > thread with IESG.) > > > > > > > > > > > > -- Jeff > > From jhaas as part of reviewing -12: > > --- > > Section 7 should be rewritten as: > 7. BFD Echo Function > > Support for the BFD Echo function [RFC5880], Section 3.2, is outside the > scope of this document. > > --- > > There remain a few minor English article agreement issues in the text, but > these can be deferred to the RFC Editor's preference for resolution. > > -- Jeff > > >
BFD S. Pallagatti, Ed.
Internet-Draft VMware
Intended status: Informational S. Paragiri
Expires: December 18, 2020 Individual Contributor
V. Govindan
M. Mudigonda
Cisco
G. Mirsky
ZTE Corp.
June 16, 2020
BFD for VXLAN
draft-ietf-bfd-vxlan-13
Abstract
This document describes the use of the Bidirectional Forwarding
Detection (BFD) protocol in point-to-point Virtual eXtensible Local
Area Network (VXLAN) tunnels used to form an overlay network.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 18, 2020.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Pallagatti, et al. Expires December 18, 2020 [Page 1]
Internet-Draft BFD for VXLAN June 2020
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in this Document . . . . . . . . . . . . . . 3
2.1. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Requirements Language . . . . . . . . . . . . . . . . . . 4
3. Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Use of the Management VNI . . . . . . . . . . . . . . . . . . 6
5. BFD Packet Transmission over VXLAN Tunnel . . . . . . . . . . 6
6. Reception of BFD Packet from VXLAN Tunnel . . . . . . . . . . 8
7. Echo BFD . . . . . . . . . . . . . . . . . . . . . . . . . . 8
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
9. Security Considerations . . . . . . . . . . . . . . . . . . . 8
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 9
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
12.1. Normative References . . . . . . . . . . . . . . . . . . 9
12.2. Informational References . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction
"Virtual eXtensible Local Area Network" (VXLAN) [RFC7348] provides an
encapsulation scheme that allows building an overlay network by
decoupling the address space of the attached virtual hosts from that
of the network.
One use of VXLAN is in data centers interconnecting virtual machines
(VMs) of a tenant. VXLAN addresses requirements of the Layer 2 and
Layer 3 data center network infrastructure in the presence of VMs in
a multi-tenant environment by providing a Layer 2 overlay scheme on a
Layer 3 network [RFC7348]. Another use is as an encapsulation for
Ethernet VPN [RFC8365].
This document is written assuming the use of VXLAN for virtualized
hosts and refers to VMs and VXLAN Tunnel End Points (VTEPs) in
hypervisors. However, the concepts are equally applicable to non-
virtualized hosts attached to VTEPs in switches.
In the absence of a router in the overlay, a VM can communicate with
another VM only if they are on the same VXLAN segment. VMs are
unaware of VXLAN tunnels as a VXLAN tunnel is terminated on a VTEP.
Pallagatti, et al. Expires December 18, 2020 [Page 2]
Internet-Draft BFD for VXLAN June 2020
VTEPs are responsible for encapsulating and decapsulating frames
exchanged among VMs.
The ability to monitor path continuity, i.e., perform proactive
continuity check (CC) for point-to-point (p2p) VXLAN tunnels, is
important. The asynchronous mode of BFD, as defined in [RFC5880], is
used to monitor a p2p VXLAN tunnel.
In the case where a Multicast Service Node (MSN) (as described in
Section 3.3 of [RFC8293]) participates in VXLAN, the mechanisms
described in this document apply and can, therefore, be used to test
the connectivity from the source NVE to the MSN.
This document describes the use of Bidirectional Forwarding Detection
(BFD) protocol to enable monitoring continuity of the path between
VXLAN VTEPs that are performing as Network Virtualization Endpoints,
and/or availability of a replicator MSN using a Management VNI
(Section 4). All other uses of the specification to test toward
other VXLAN endpoints are out of the scope.
2. Conventions Used in this Document
2.1. Acronyms
BFD Bidirectional Forwarding Detection
CC Continuity Check
p2p Point-to-point
MSN Multicast Service Node
NVE Network Virtualization Endpoint
VFI Virtual Forwarding Instance
VM Virtual Machine
VNI VXLAN Network Identifier (or VXLAN Segment ID)
VTEP VXLAN Tunnel End Point
VXLAN Virtual eXtensible Local Area Network
Pallagatti, et al. Expires December 18, 2020 [Page 3]
Internet-Draft BFD for VXLAN June 2020
2.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Deployment
Figure 1 illustrates the scenario with two servers, each of them
hosting two VMs. The servers host VTEPs that terminate two VXLAN
tunnels with VXLAN Network Identifier (VNI) number 100 and 200
respectively. Separate BFD sessions can be established between the
VTEPs (IP1 and IP2) for monitoring each of the VXLAN tunnels (VNI 100
and 200). Using a BFD session to monitor a set of VXLAN VNIs between
the same pair of VTEPs might help to detect and localize problems
caused by misconfiguration. An implementation that supports this
specification MUST be able to control the number of BFD sessions that
can be created between the same pair of VTEPs. This method is
applicable whether the VTEP is a virtual or physical device.
Pallagatti, et al. Expires December 18, 2020 [Page 4]
Internet-Draft BFD for VXLAN June 2020
+------------+-------------+
| Server 1 |
| +----+----+ +----+----+ |
| |VM1-1 | |VM1-2 | |
| |VNI 100 | |VNI 200 | |
| | | | | |
| +---------+ +---------+ |
| VTEP (IP1) |
+--------------------------+
|
| +-------------+
| | Layer 3 |
+---| Network |
+-------------+
|
+-----------+
|
+------------+-------------+
| VTEP (IP2) |
| +----+----+ +----+----+ |
| |VM2-1 | |VM2-2 | |
| |VNI 100 | |VNI 200 | |
| | | | | |
| +---------+ +---------+ |
| Server 2 |
+--------------------------+
Figure 1: Reference VXLAN Domain
At the same time, a service layer BFD session may be used between the
tenants of VTEPs IP1 and IP2 to provide end-to-end fault management
(this use case is outside the scope of this document). In such a
case, for VTEPs BFD Control packets of that session are
indistinguishable from data packets.
For BFD Control packets encapsulated in VXLAN (Figure 2), the inner
destination IP address SHOULD be set to one of the loopback addresses
from 127/8 range for IPv4 or to one of IPv4-mapped IPv4 loopback
addresses from ::ffff:127.0.0.0/104 range for IPv6. There could be a
firewall configured on VTEP to block loopback addresses if set as the
destination IP in the inner IP header. It is RECOMMENDED to allow
addresses from the loopback range through a firewall only if they are
used as the destination IP addresses in the inner IP header and the
destination UDP port is set to 3784 [RFC5881].
Pallagatti, et al. Expires December 18, 2020 [Page 5]
Internet-Draft BFD for VXLAN June 2020
4. Use of the Management VNI
In most cases, a single BFD session is sufficient for the given VTEP
to monitor the reachability of a remote VTEP, regardless of the
number of VNIs. When the single BFD session is used to monitor the
reachability of the remote VTEP, an implementation SHOULD choose any
of the VNIs. An implementation that supports this specification MUST
support the use of the Management VNI as control and management
channel between VTEPs. The selection of the VNI number of the
Management VNI MUST be controlled through a management plane. An
implementation MAY use VNI number 1 as the default value for the
Management VNI. All VXLAN packets received on the Management VNI
MUST be processed locally and MUST NOT be forwarded to a tenant.
5. BFD Packet Transmission over VXLAN Tunnel
BFD packets MUST be encapsulated and sent to a remote VTEP as
explained in this section. Implementations SHOULD ensure that the
BFD packets follow the same forwarding path as VXLAN data packets
within the sender system.
BFD packets are encapsulated in VXLAN as described below. The VXLAN
packet format is defined in Section 5 of [RFC7348]. The value in the
VNI field of the VXLAN header MUST be set to the value selected as
the Management VNI. The Outer IP/UDP and VXLAN headers MUST be
encoded by the sender as defined in [RFC7348].
Pallagatti, et al. Expires December 18, 2020 [Page 6]
Internet-Draft BFD for VXLAN June 2020
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Outer Ethernet Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Outer IPvX Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Outer UDP Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ VXLAN Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Inner Ethernet Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Inner IPvX Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Inner UDP Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ BFD Control Packet ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Outer Ethernet FCS |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: VXLAN Encapsulation of BFD Control Packet
The BFD packet MUST be carried inside the inner Ethernet frame of the
VXLAN packet. The choice of Destination MAC and Destination IP
addresses for the inner Ethernet frame MUST ensure that the BFD
Control packet is not forwarded to a tenant but is processed locally
at the remote VTEP. The inner Ethernet frame carrying the BFD
Control packet- has the following format:
Ethernet Header:
Pallagatti, et al. Expires December 18, 2020 [Page 7]
Internet-Draft BFD for VXLAN June 2020
Destination MAC: A Management VNI, which does not have any
tenants, will have no dedicated MAC address for decapsulated
traffic. The value X:X:X:X:X SHOULD be used in this field.
Source MAC: MAC address associated with the originating VTEP.
IP header:
Destination IP: IP address MUST NOT be of one of tenant's IP
addresses. The IP address SHOULD be selected from the range
127/8 for IPv4, for IPv6 - from the range ::ffff:127.0.0.0/104.
Alternatively, the destination IP address MAY be set to VTEP's
IP address.
Source IP: IP address of the originating VTEP.
TTL or Hop Limit: MUST be set to 255 in accordance with the
Generalized TTL Security Mechanism [RFC5082].
The fields of the UDP header and the BFD Control packet are
encoded as specified in [RFC5881].
6. Reception of BFD Packet from VXLAN Tunnel
Once a packet is received, the VTEP MUST validate the packet. If the
packet is received on the management VNI and is identified as BFD
control packet addressed to the VTEP, and then the packet can be
processed further. Processing of BFD control packets received on
non-management VNI is outside the scope of this specification.
The received packet's inner IP payload is then validated according to
Sections 4 and 5 in [RFC5881].
7. Echo BFD
Support for echo BFD is outside the scope of this document.
8. IANA Considerations
This specification has no IANA action requested. This section may be
deleted before the publication.
9. Security Considerations
Security issues discussed in [RFC5880], [RFC5881], and [RFC7348]
apply to this document.
Pallagatti, et al. Expires December 18, 2020 [Page 8]
Internet-Draft BFD for VXLAN June 2020
This document recommends using an address from the Internal host
loopback addresses 127/8 range for IPv4 or an IP4-mapped IPv4
loopback address from ::ffff:127.0.0.0/104 range for IPv6 as the
destination IP address in the inner IP header. Using such an address
prevents the forwarding of the encapsulated BFD control message by a
transient node in case the VXLAN tunnel is broken as according to
[RFC1812]:
A router SHOULD NOT forward, except over a loopback interface, any
packet that has a destination address on network 127. A router
MAY have a switch that allows the network manager to disable these
checks. If such a switch is provided, it MUST default to
performing the checks.
If the implementation supports establishing multiple BFD sessions
between the same pair of VTEPs, there SHOULD be a mechanism to
control the maximum number of such sessions that can be active at the
same time.
10. Contributors
Reshad Rahman
rrah...@cisco.com
Cisco
11. Acknowledgments
Authors would like to thank Jeff Haas of Juniper Networks for his
reviews and feedback on this material.
Authors would also like to thank Nobo Akiya, Marc Binderberger,
Shahram Davari, Donald E. Eastlake 3rd, Anoop Ghanwani, Dinesh Dutt,
Joel Halpern, and Carlos Pignataro for the extensive reviews and the
most detailed and constructive comments.
12. References
12.1. Normative References
[RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers",
RFC 1812, DOI 10.17487/RFC1812, June 1995,
<https://www.rfc-editor.org/info/rfc1812>.
Pallagatti, et al. Expires December 18, 2020 [Page 9]
Internet-Draft BFD for VXLAN June 2020
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., Ed., and C.
Pignataro, "The Generalized TTL Security Mechanism
(GTSM)", RFC 5082, DOI 10.17487/RFC5082, October 2007,
<https://www.rfc-editor.org/info/rfc5082>.
[RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection
(BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010,
<https://www.rfc-editor.org/info/rfc5880>.
[RFC5881] Katz, D. and D. Ward, "Bidirectional Forwarding Detection
(BFD) for IPv4 and IPv6 (Single Hop)", RFC 5881,
DOI 10.17487/RFC5881, June 2010,
<https://www.rfc-editor.org/info/rfc5881>.
[RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger,
L., Sridhar, T., Bursell, M., and C. Wright, "Virtual
eXtensible Local Area Network (VXLAN): A Framework for
Overlaying Virtualized Layer 2 Networks over Layer 3
Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014,
<https://www.rfc-editor.org/info/rfc7348>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
12.2. Informational References
[RFC8293] Ghanwani, A., Dunbar, L., McBride, M., Bannai, V., and R.
Krishnan, "A Framework for Multicast in Network
Virtualization over Layer 3", RFC 8293,
DOI 10.17487/RFC8293, January 2018,
<https://www.rfc-editor.org/info/rfc8293>.
[RFC8365] Sajassi, A., Ed., Drake, J., Ed., Bitar, N., Shekhar, R.,
Uttaro, J., and W. Henderickx, "A Network Virtualization
Overlay Solution Using Ethernet VPN (EVPN)", RFC 8365,
DOI 10.17487/RFC8365, March 2018,
<https://www.rfc-editor.org/info/rfc8365>.
Pallagatti, et al. Expires December 18, 2020 [Page 10]
Internet-Draft BFD for VXLAN June 2020
Authors' Addresses
Santosh Pallagatti (editor)
VMware
Email: santosh.pallaga...@gmail.com
Sudarsan Paragiri
Individual Contributor
Email: sudarsan....@gmail.com
Vengada Prasad Govindan
Cisco
Email: vengg...@cisco.com
Mallik Mudigonda
Cisco
Email: mmudi...@cisco.com
Greg Mirsky
ZTE Corp.
Email: gregimir...@gmail.com
Pallagatti, et al. Expires December 18, 2020 [Page 11]
<<< text/html; charset="UTF-8"; name="Diff_ draft-ietf-bfd-vxlan-12.txt - draft-ietf-bfd-vxlan-13.txt.html": Unrecognized >>>
