| Internet-Draft | D-PATH for Layer2 EVPN | April 2023 | 
| Rabadan, et al. | Expires 20 October 2023 | [Page] | 
The BGP Domain PATH (D-PATH) attribute is defined for Inter-Subnet Forwarding (ISF) BGP Sub-Address Families that advertise IP prefixes. When used along with EVPN IP Prefix routes or IP-VPN routes, it identifies the domain(s) through which the routes have passed and that information can be used by the receiver BGP speakers to detect routing loops or influence the BGP best path selection. This document extends the use of D-PATH so that it can also be used along with other EVPN route types.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 20 October 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The BGP Domain PATH (D-PATH) attribute [I-D.ietf-bess-evpn-ipvpn-interworking] is defined for Inter-Subnet Forwarding (ISF) BGP Sub-Address Families that advertise IP prefixes. When used along with EVPN IP Prefix routes or IP-VPN routes, it identifies the domain(s) through which the routes have passed and that information can be used by the receiver BGP speakers to detect routing loops or influence the BGP best path selection. This document extends the use of D-PATH so that it can also be used along with other EVPN route types.¶
The D-PATH attribute can be used to prevent control plane loops for EVPN routes, or to provide full path visibility of all the EVPN Interconnect Gateways through which a route has gone and modify the best path selection based on it. Some use cases in which D-PATH can be used along with (non-IP Prefix) EVPN routes follow, but the use cases are not limited to the ones described in this section.¶
Figure 1 illustrates an EVPN Interconnect case where EVPN MAC/IP Advertisement routes can be looped indefinitely. The three Gateways (GW1, GW2 and GW3) and PE1 in the diagram are attached to the same EVPN Broadcast Domain (BD1). However, BD1 is extended throughout three different domains that are interconnected by the Gateways, which follow [RFC9014] procedures. Suppose a host with MAC address M1 is learned on GW1 and GW1 advertises an EVPN MAC/IP Advertisement route for M1 into Domain-1 and Domain-2. When the route gets imported by GW2 and GW3 and later exported into Domain-3, GW2 and GW3 may redistribute each other's route for M1 back into Domain-1 and Domain-2, respectively, creating a loop. D-PATH can be used by the Gateways when redistributing the route between Domains, to identify the Domains through which the route for M1 has gone. When GW1 receives an EVPN MAC/IP Advertisement route for M1 that contains a D-PATH with a domain-id locally assigned, GW1 identifies the route as "looped".¶
          +----------------+ GW2
          |   EVPN        +-------+
          |   Domain-1    | +---+ |
          |               | |BD1| |---------------+
          |               | +---+ |               |
     GW1  |               +-------+               |    PE1
   +-------+               |     |    EVPN       +-------+
   | +---+ |---------------+     |    Domain-3   | +---+ |
   | |BD1| |                     |               | |BD1| |
   | +---+ |---------------+     |               | +---+ |
   +---|---+               | GW3 |               +---|---+
       |  |   EVPN        +-------+               |  |
   M1--+  |   Domain-2    | +---+ |               |  +--M2
          |               | |BD1| |---------------+
          |               | +---+ |
          |               +-------+
          +----------------+
Similar examples are possible with EVPN VPWS services on the Gateways and PEs, where loop prevention for the redistributed A-D per EVI routes is needed. D-PATH provides the end to end path visibility that is required to prevent the loop.¶
Figure 2 illustrates another [RFC9014] EVPN Interconnect case where, in addition to using D-PATH to prevent EVPN MAC/IP Advertisement route loops when redistributing routes between domains, the D-PATH attribute can also influence the best path selection for the routes. For example, if all the Gateways in the diagram are attached to the same BD1, an EVPN MAC/IP Advertisement route for MAC address M1 advertised by GW1 is advertised into Domain-1 and Domain-4. Two routes for M1 will arrive at GW3 with different route distinguishers and BGP Next Hops. If D-PATH is used by all the Gateways, the two routes arriving at GW3 will have a different sequence of domain-ids in the D-PATH attribute. GW3 can use the length of the D-PATH as a way of influencing the selection (i.e., the shortest D-PATH route is selected). D-PATH improves the path visibility of the route since it provides information about all the Domains through which the route has passed.¶
        +----------+ GW11  +----------+  GW2  +----------+
        | EVPN     +-------+ EVPN     +-------+ EVPN     |
        | Domain-1 | +---+ | Domain-2 | +---+ | Domain-3 |
        |          | |BD1| |          | |BD1| |          |
        |          | +---+ |          | +---+ |          |
   GW1  |          +-------+          +-------+          |  GW3
 +-------+         |       |          |       |         +-------+
 | +---+ |---------+       +----------+       +---------| +---+ |
 | |BD1| |                                              | |BD1| |
 | +---+ |---------+       +----------------------------| +---+ |
 +---|---+         | GW12  |                            +---|---+
     |  | EVPN     +-------+      EVPN                   |  |
 M1--+  | Domain-4 | +---+ |      Domain-5               |  +--M2
        |          | |BD1| |                             |
        |          | +---+ |                             |
        |          +-------+                             |
        +----------+       +-----------------------------+
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This section summarizes the terminology that is used throughout the rest of the document.¶
EVPN Domain: two PEs are in the same EVPN Domain if they are attached to the same service and the packets between them do not require a data path lookup of the inner frame (e.g., in the BD of a MAC-VRF) in any intermediate router. An EVPN Domain Gateway PE is always configured with multiple Domain identifiers (EVPN Domain-ID) in the MAC-VRF or VPWS that connects those EVPN Domains, each EVPN Domain-ID representing an EVPN Domain.¶
Example: Figure 3 illustrates an example where PE1 and PE2 belong to different EVPN Domains since packets between them (for flows between hosts with MAC addresses M1 and M2) require a MAC lookup in two of the gateways that are connecting the three EVPN Domains. E.g., if frames from M1 to M2 go through PE1, GW1, GW3 and PE2, a MAC lookup is performed at GW1 and GW3.¶
                        GW1------------GW3
                      +------+       +------+
        +-------------| BD1  |       | BD1  |-------------+
       PE1            +------+       +------+            PE2
     +------+            |              |             +------+
  M1-| BD1  |   EVPN     |     EVPN     |     EVPN    |  BD1 |-M2
     +------+           GW2            GW4            +---+--+
        |             +------+       +------+             |
        +-------------| BD1  |       | BD1  |-------------+
                      +------+       +------+
                         +--------------+
         EVPN Domain 1     EVPN Domain 2  EVPN Domain 3
        <---------------> <------------> <---------------->
This document extends the use of the D-PATH attribute specified in [I-D.ietf-bess-evpn-ipvpn-interworking] so that D-PATH can be advertised and processed along with the following EVPN route types:¶
As discussed, the use of D-PATH with EVPN IP Prefix routes is specified in [I-D.ietf-bess-evpn-ipvpn-interworking]. When used along with EVPN routes other than IP Prefix routes, the D-PATH attribute is characterized as follows:¶
For non-Inter Subnet Forwarding EVPN MAC/IP Advertisement routes or EVPN A-D per EVI routes [I-D.ietf-bess-rfc7432bis], D-PATH SHOULD be added/modified by a EVPN Domain Gateway that redistributes the route between EVPN Domains and MAY be added by a PE or EVPN Domain Gateway that originates the route, as follows:¶
When two (or more) MAC/IP Advertisement routes with the same route key (and same or different RDs) are received, a best path selection algorithm is used to select and install only one route. The best path selection for MAC/IP Advertisement routes is specified in [I-D.ietf-bess-rfc7432bis], in section 7.13.1, and this document modifies the algorithm by including the D-PATH comparison across EVPN MAC/IP Advertisement routes after tie-breaking rule 5 in [I-D.ietf-bess-rfc7432bis] section 7.13.1, which removes from consideration routes that are not tied for higher degree of preference.¶
If none of the tie-breaking rules up to (and including) rule 5 produces a single route, the router compares the D-PATH attribute in the remaining candidate routes:¶
If the steps above do not produce a single route, then the rest of the rules in [I-D.ietf-bess-rfc7432bis] follow.¶
When two (or more) EVPN A-D per EVI routes with the same route key (and same or different RDs) are received for a Virtual Private Wire Service (VPWS), a best path selection algorithm is used. The best path selection for EVPN A-D per EVI routes is specified in [I-D.ietf-bess-rfc7432bis], in section 7.13.2, and this document modifies the algorithm by including the D-PATH comparison across EVPN A-D per EVI routes in the same way Section 4.1 does it for EVPN MAC/IP Advertisement routes. That is, rules 1 and 2 of Section 4.1 are interleaved between rules 5 and 6 of [I-D.ietf-bess-rfc7432bis].¶
When two (or more) EVPN Inclusive Multicast Ethernet Tag routes with the same route key (and same or different RDs) are received for a MAC-VRF, a best path selection algorithm is used and only one of them is programmed. The selection algorithm follows [I-D.ietf-bess-rfc7432bis] the same D-PATH comparison steps as in Section 4.1 interleaved between rules 5 and 6 of [I-D.ietf-bess-rfc7432bis].¶
An EVPN route received by a PE with a D-PATH attribute that contains one or more of its locally associated Domain-IDs for the MAC-VRF or VPWS instance is considered to be a looped route. A looped route MUST NOT be redistributed to a different domain and SHOULD be flagged as "looped".¶
EVPN A-D per EVI looped routes and Inclusive Multicast Ethernet Tag looped routes MUST NOT be installed, where "install" in this document means "create forwarding state". An EVPN MAC/IP Advertisement looped route MAY be installed if selected as the best route.¶
For instance, in the example of Figure 3, assuming PE1 advertises M1's MAC/IP and does not add the D-PATH attribute, the EVPN Domain Gateway GW1 receives two MAC/IP Advertisement routes for M1's MAC/IP:¶
In this case, EVPN Domain Gateway GW1 flags the MAC/IP Advertisement route with D-PATH as "looped", and does not install the MAC in the BD, and does not redistribute the route back to EVPN Domain 1 (since the route includes one of GW1's Domain-IDs). In case the MAC/IP Advertisement route with next-hop PE1 is withdrawn, GW1 may install the route with next-hop GW2 and D-PATH <6500:1:EVPN>; this may help speed up convergence in case of failures.¶
The procedures described in this section, based on D-PATH, can be used along with the Ethernet Segment Identifier of the received routes as a way to detect looped routes on EVPN domain gateways attached to an Interconnect Ethernet Segment as in [RFC9014]. An EVPN domain gateway MUST NOT redistribute a received EVPN MAC/IP route or EVPN A-D per EVI route with an Ethernet Segment Identifier value that matches the value of a local Ethernet Segment, irrespective of the D-PATH Domain-IDs.¶
The error handling for the D-PATH attribute is described in [I-D.ietf-bess-evpn-ipvpn-interworking]. This document extends the use of D-PATH to non-Inter Subnet Forwarding (non-ISF) EVPN routes.¶
This section illustrates the use of D-PATH in EVPN routes with examples.¶
Figure 4 and Figure 5 illustrate an integrated interconnect solution for an EVPN BD, as described in section 4.4 and section 4.6 of [RFC9014]. GW1 and GW2 are EVPN Domain Gateways connecting two EVPN Domains identified by D-PATH domain {1:1:EVPN} and {1:2:EVPN}, respectively. Received Ethernet A-D routes, ES routes, and Inclusive Multicast routes from the routers in one EVPN Domain are consumed and processed by GW1 and GW2, but not redistributed to the other EVPN Domain. However, MAC/IP Advertisement routes received by GW1 and GW2 in one EVPN Domain are processed and, if installed, redistributed into the other EVPN Domain.¶
         +----EVPN Domain-1---+      +----EVPN Domain-2--+
         |     1:1:EVPN       | GW1  |    1:2:EVPN       |
         |                   +---------+                 |
         |                   | +-----+ |                 |
         |                   | | BD1 | X <-+             |
        PE1                  | +-----+ |   |            PE2
     +---------+             +---------+   |         +---------+
     | +-----+ |              |      |     |         | +-----+ |
M1-----| BD1 | |              |      |     |         | | BD1 |-----M2
     | +-----+ |  ------->    |      |     |         | +-----+ |
     +---------+ (RT2)M1/IP1  |      |     |         +---------+
         |                   +---------+   |             |
         |                   | +-----+ |   |(RT2)M1/IP1  |
         |                   | | BD1 | | --+ <1:1:EVPN>  |
         |                   | +-----+ |                 |
         |                   +---------+                 |
         |                     | GW2 |                   |
         +---------------------+     +-------------------+
Consider the example of Figure 4, where PE1 advertises a MAC/IP Advertisement route for M1/IP1. The route is processed and installed by GW1 and GW2 in BD1, and both redistribute the routes into the EVPN Domain-2. By using D-PATH in GW1 and GW2, when the route is received on PE2, PE2 has the visibility of the EVPN Domains through which the route has gone, and can also use the D-PATH for best path selection. In addition, GW1 and GW2 can compare the D-PATH of the incoming routes with their local list of EVPN Domain-IDs, and detect looped routes if any of the local EVPN Domain-IDs matches a domain in the received D-PATH. This procedure prevents the redistribution of the route back into EVPN Domain-1. For example, when GW1 receives the MAC/IP Advertisement route for M1/IP1 with D-PATH <1:1:EVPN>, GW1 identifies the route as looped and it does not redistribute it back to Domain-1. The M1/IP1 route with Next Hop PE1 is installed. If M1/IP1 with Next Hop PE1 is withdrawn, GW1 MAY install the route M1/IP1 with Next Hop GW2, as specified in Section 4.4.¶
The example of Figure 5 illustrates how GW1 and GW2 can also have local ACs in BD1 and learn local MAC (or MAC/IP) addresses from devices connected to the ACs.¶
         +----EVPN Domain-1---+      +----EVPN Domain-2--+
         |     1:1:EVPN       | GW1  |    1:2:EVPN       |
         |                   +---------+                 |
         |                   | +-----+ |                 |
         |              +-->X| | BD1 | |X<--+            |
        PE1             |    | +-----+ |    |           PE2
     +---------+        |    +---------+    |        +---------+
     | +-----+ |        |     |      |      |        | +-----+ |
M1-----| BD1 | |        |     |      |      +--->    | | BD1 |-----M2
     | +-----+ |        |     |      |      |        | +-----+ |
     +---------+        |     |      |      |        +---------+
         |              |     | GW2  |      |            |
         |          <---+--  +---------+ (RT2)M3/IP3     |
         |       (RT2)M3/IP3 | +-----+ |  {1:3:0}        |
         |        {1:3:0}    | | BD1 | |    |            |
         |                   | +-----+ | ---+            |
         |                   +----|----+                 |
         |                     |  |  |                   |
         +---------------------+  |  +-------------------+
                                  +
                                  M3
Assuming GW2 learns M3/IP3 via local AC, GW2 advertises a MAC/IP Advertisement route for M3/IP3 into each of the EVPN Domains that GW2 is connected to. As described in Section 4, GW2 can advertise these two MAC/IP Advertisement routes with a configured EVPN Domain-ID for local MAC/IPs routes that can be shared with GW1. Consider this EVPN Domain-ID is 1:3 and it is configured on both, GW1 and GW2. When GW2 advertises the route into each EVPN Domain, it adds the D-PATH attribute with a domain {1:3:0}. These routes are flagged by GW1 as "looped" since 1:3 is configured as a local EVPN Domain-ID in GW1. In addition, PE1 and PE2 receive the routes with the D-PATH and they have the visibility of the origin of the routes, in this case local EVPN Domain Gateway routes. This information can be used to influence the best path selection in case of multiple routes for M3/IP3 are received on PE1 or PE2 for BD1.¶
As an alternative solution to configuring the same EVPN Domain-ID for local routes on both EVPN Domain Gateways, GW2 can be configured with EVPN Domain-ID 1:3 for local routes, and GW1 can use a different EVPN Domain-ID, e.g., 1:4. In this case, GW2 advertises the route for M3/IP3 into each EVPN Domain as before, but now GW1 does not flag the route as "looped" since 1:3 is not on the list of GW1's local EVPN Domain-IDs. GW1 receives the routes from both EVPN Domains, and GW1 selects the route from e.g., EVPN Domain-1. GW1 then installs the route in its BD and redistributes the route into EVPN Domain-2 with D-PATH {1:1:EVPN, 1:3:0}. When PE2 receives two routes for M3/IP3, one from GW2 with D-PATH {1:3:0} and another from GW1 with D-PATH {1:1:EVPN, 1:3:0}, PE2 uses best path selection and choose to send its traffic to GW2. Also GW2 receives the route for M3/IP3 from GW1 and mark it as "looped" since that route conveys its own EVPN Domain-IDs 1:1 and 1:3.¶
In a nutshell, the use of D-PATH in MAC/IP Advertisement routes helps prevent loops and influences the best path selection so that PEs choose the shortest paths to the destination PEs.¶
Most of the considerations included in [I-D.ietf-bess-evpn-ipvpn-interworking] apply to this document.¶
None.¶