nvo3 | N. Kumar |
Internet-Draft | C. Pignataro |
Intended status: Standards Track | D. Rao |
Expires: January 16, 2014 | Cisco Systems, Inc. |
July 15, 2013 |
Detecting NVO3 Overlay Data Plane failures
draft-kumar-nvo3-overlay-ping-00
This document describes a simple and efficient mechanism to perform L2 or L3 VN Context validation and to detect any data plane failures in IPv4 or IPv6 based overlay network providing L2 or L3 virtualized network.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 16, 2014.
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
I.D-ietf-nvo3-framework [I-D.ietf-nvo3-framework] specifies a framework that defines mechanism to support large scale network virtualization by connecting L2 or L3 virtualized network over L3 tunnels. Various tunneling options like IPv4, IPv6 or MPLS can be used in underlying network.
Section 3.8 of [I.D-ietf-nvo3-dataplane-requirement] specifies the requirement of OAM tool that performs connectivity verification and fault isolation along with revealing ECMP paths between NVE nodes. While the mechanism described in RFC4379 [RFC4379] helps with satisfying this OAM requirement when MPLS tunnel is used, there is no native way to acheive the same when IPv4 or IPv6 is used as tunneling option.
This document describes a simple and efficient mechanism to perform L2 or L3 VN Context validation and to detect any data plane failures in IPv4 or IPv6 overlay network by re-purposing and extending MPLS Ping mechanism defined in RFC4379 [RFC4379]. This document also describes the mechanism to reveal all available paths (multi path) between any ingress and egress NVE nodes.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
L2 VN: Layer 2 Virtual Network
L3 VN: Layer 3 Virtual Network
NVE: Network Virtualization Edge
ECMP: Equal Cost multiple path
NVO3 PATH Ping packet is a IPv4 or IPv6 UDP packet and the basic structure of the packet remains the same as mentioned in Section 3 of RFC4379 [RFC4379].
This document introduces a new flag in Global Flags field defined in RFC4379 [RFC4379]. The new format of the Global Flags field is:
0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MBZ |N|T|V| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The V flag is described in RFC4379 [RFC4379] and T flag is described in RFC6425 [RFC6425].
The N flag (NVO3 PATH Ping) MUST be set in echo request and reply packet only when it is used to validate NVO3 Path.
The Message Type is one of the following:
Value Meaning ----- ------- 11 NVO3 Echo Request 12 NVO3 Echo Reply
The Reply Mode can be one of the following:
Value Meaning ----- ------- 11 Do not Reply 12 Reply via IPv4/IPv6 UDP packet
Return codes and Subcodes are described in section 4.1.
The Sender's Handle, Sequence Number, TimeStamp sent and TimeStamp Received field are as mentioned in Section 3 of RFC4379 [RFC4379].
The TLV format is same as mentioned in [RFC4379] and this document introduce a new TLV described later.
Responder uses Return code field to reply with validity check or any error message to Initiator. It doesnt carry any meaning in Echo Request and should be set as zero.
The Return Code can be one of the following:
Value Meaning ----- ------- 100 No Return Code 101 Malformed Echo Request Received 102 One or more TLVs not understood 103 Egress for the Target 104 No control plane mapping for the Target Object <RSC> 105 Downstream Detailed Mapping mismatch 108 Packet-Forward-OK
The Return Subcode contains the pointer in Target Object TLV for which the Replying node doesnt have a control plane mapping. For example, when NVE receives Target Object TLV with multiple Sub-TLVs and if NVE doesnt have an entry for second Sub-TLV should include 2 as RSC value.
The document introduces the below list of TLVs used in NVO3 Echo packets:
Type Value Field ------ ----------- 101 Target Object
Target Object TLV is a list of Sub-TLVs that carries the element against which the path or control plane validation is done.
This document defines the below Target Object Sub-TLVs:
Sub-Type Length Value Field -------- ------ ----------- 1 5 IPv4 prefix 2 17 IPv6 Prefix 3 variable L2 VN ID 4 variable L3 VN ID
NVO3 ECHO Request MUST have a Target Object TLV with atleast one Sub-TLV which describe the egress node about the element to be validated.
For example, if NVE X wanted to verify that MAC M1 is associated with VN ID VN1, it carries relevant information like VN ID and the MAC address in Sub-TLV type 3 and send to egress NVE. Egress NVE on receiving NVO3 Echo Request will validate the Target Object and will reply back with respective Return Code.
New Sub-TLVs can be proposed as and when required in future.
This document extends the Downstream Detailed Mapping TLV defined in Section 3.3 of RFC6424 [RFC6424] to be used in NVO3 scenarios with IPv4 or IPv6 based core network. This document introdues a new DS flag and the format is as below:
0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ |Rsvd(MBZ)|P|I|N| +-+-+-+-+-+-+-+-+ Flag Name and Meaning ---- ---------------- P Set when used in NVO3 Ping
The P flag (NVO3 Path ping) MUST be set in Downstream Detailed Mapping TLV only when it is used in NVO3 scenarios. When P flag is set, I flag MUST NOT be set.
For simplicity, The DDMAP with N flag set in DS flag will be referred as NVO3 DDMAP in this document.
This document also defines the below new multipath types to be used in NVO3 Path ping.
Type Meaning Multipath information -------- -------------- ----------------------- 11 UDP Port Mask UDP Port and bit mask 12 Flow Label Mask IPv6 Flow label and bit mask
Multipath Information
Based on the Multipath type, the Multipath Information encodes Flow label range or UDP port range that will excercise each path. The Multipath encoding follows the same procedure specifies in Section 3.3.1 of RFC4379 [RFC4379]. For completeness, it is explained in this document with UDP port range and IPv6 FLow label range.
Multipath type 1 encodes UDP port range. The UDP prefix is formatted as a base UDP port value with non-prefix low-order bits set to zero. Since the UDp port is 16 bits, the leading 16 bits are set as zeros. The maximum prefix (including leading zeros) length can be 27. Following the prefix is a mask of length 2^(32-prefix-length) bits. Each bit set to one represents a valid UDP port. UDP port values of all the odd numbers between 32704 and 3267 would be encoded as below:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Multipath type 2 encoded IPv6 Fow label range. The formatting is as mentioned above for UDP port range except that the leading zeros are set for leading 8 bits.
If the received Multipath Information is non-null, the UDP ports or IPv6 Flow labels MUST be picked from the set provided. if the range in received set cannot be mapped to a particular downstream interface, the type MUST be set to 0 for that interface while replying. If the received Multipath type is null, the type MUST be set to 0 while replying.
Unlike MPLS LSP Echo, the IP destination address in NVO3 Echo packet will be the actual destination of egress node and this raises a need to have an OAM indicator that can be used by transit nodes to differentiate between NVO3 Echo packet and data packet. This document explains the same as below:
This document proposes the below IPv6 Extension header and the format is as below:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Hdr Ext Len |R|R|R|R|R|R|R|R|R|R|R|R|R|R|R|N| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . Sub-TLVs . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
N flag
Any node on initiating NVO3 Echo Request MUST include IPv6 OAM Extension Header with NVO3 OAM flag set. Any node on replying back with NVO3 Echo Reply MUST include IPv6 OAM Extension Header with NVO3 OAM flag set. Any transit node on receiving IPv6 destinated packet with TTL=1 SHOULD interpret the payload as NVO3 ECHO packet if IPv6 OAM Extension header is present.
Any transit node on receiving IPv4 destinated packet with TTL=1 SHOULD interpret the payload as NVO3 ECHO packet if UDP port is 3503.
NVO3 Echo Request and Reply packet are UDP packet with destination port as 3503. This section describes the procedure in Initiating and responding nodes.
Initiator MUST include the respective Sub-TLV for the target(s) to be validated (L2 or L3 VNI or NVE address) in Target Object TLV. It also MUST set the N flag in Global Flags (Section 4) and set the message type as 11. The Reply mode is set to the desired mode ( type 11 or 12); Return code and Return Subcode are set to zero. The Sender's Handle and Sequence number are set by Initiator.
The source UDP port can be choosen by the Initiator and the destination UDP port is set to 3503. The IP header is set as follows: the source IP address is a routable address of the sender; the destination IP address is the target egress NVE address. When the core is IPv6 network, Initiator MUST include IPv6 OAM Extension header.
In ping mode (Connectivity check), the IP TTL is set to 255. In traceroute mode (Fault isolation), the IP TTL is set successively from 1 and MUST stop sending the Request if it receives a reply with Return code 103 or 104.
Sending an NVO3 Echo Request to control plane for payload processsing is done by IP TTL expiration in case of IPv4 and a combination of IP TTL expiration and IPv6 OAM Extension header incase of IPv6. The control plane further identifies it as NVO3 Echo packet by a combination of UDP destion port 3503 and N flag in Global flag field (Section 4).
Any node on receiving NVO3 Echo Request MUST send Echo Reply with Return code "Malformed Echo Request received" to Initiator if the packet fails sanity check. If the sanity check for NVO3 Echo Request is fine, Any node should store the below temporary variables:
Any transit node on receiving NVO3 Echo Request should perform the below:
Any Edge node (NVE) on receiving NVO3 Echo Request should perform the below:
NVO3 Echo Reply is a UDP packet and MUST be sent only in response to received NVO3 Echo Request. The format of NVO3 Echo Reply is same as Echo request.
Responder MUST fill the DDMAP field, Return Code and Return Subcode from previous section. It MUST also set the N flag in Global Flags and set the message type as 12. The Sender's Handle, Sequence Number field MUST be copied from the received Echo Request.
The source UDP port is set to 3503 and the source UDP port of received Echo Request is copied to destination UDP port of Echo Reply. The IP header is set as follows: the source IP address is a routable address of the responder; the destination IP address is coped from source address of Echo Request and IP TTL is set to 255. When the core is IPv6 network, Responder MUST include IPv6 OAM Extension Header.
Any node should receive NVO3 Echo Reply only in response to an NVO3 Echo Request that it sent. Initiator MUST drop the packet if it fails sanity check. If the sanity check is fine, the Echo Reply should be mapped with the respective Echo Request using the destination port and Sender's Handle. if there is no match, the Echo Reply MUST be ignored. Else, it checks the Sequence Number to match the iteration.
In traceroute mode, If the Echo Reply contains NVO3 DDMAP, it SHOULD copy the same to subsequent Echo Request(s).
For redundancy and load balancing purpose, It is common to see multiple equal cost paths between ingress and egress NVE and it is a local matter to transit node to decide the egress interface based on local hashing algorithm. It is common to see deployment with routers that support load-balancing based on UDP ports or based on IPv6 Flow label. So it is useful to have the OAM tool to exercise all possible paths between ingress and egress NVEs.
This can be achieved using Multipath Information Sub-TLV in NVO3 DDMAP. This can be used as follows:
This document reuse UDP port 3503 for NVO3 Echo packets.
This document request to assign the Message Types and Reply mode mentioned in Section 4 and Return code mentioned in Section 4.1
The TLVs and Sub-TLVs requested by this document for IANA consideration are the following:
Type Sub-Type Value Field ------- -------- ----------- 101 Target Object 1 IPv4 Prefix 2 IPv6 Prefix 3 L2 VN ID 4 L3 VN ID
The security consideration for NVO3 Ping is similar to ICMP or LSP Ping. AS like ICMP or LSP ping, NVO3 may be exposed to Denial-of-service attacks and it is RECOMMENDED to regulate the NVO3 Ping packet flow to control plane. A rate limiter SHOULD be applied to avoid any attack
As like ICMP or LSP Ping, a traceroute can be used to obtain network information. It is RECOMMENDED that the implementation check the source address of the Echo messages against any local secured list like access list before processing the message further
This draft is prepared with xml2rfc tool
[RFC4379] | Kompella, K. and G. Swallow, "Detecting Multi-Protocol Label Switched (MPLS) Data Plane Failures", RFC 4379, February 2006. |
[RFC6424] | Bahadur, N., Kompella, K. and G. Swallow, "Mechanism for Performing Label Switched Path Ping (LSP Ping) over MPLS Tunnels", RFC 6424, November 2011. |
[RFC6425] | Saxena, S., Swallow, G., Ali, Z., Farrel, A., Yasukawa, S. and T. Nadeau, "Detecting Data-Plane Failures in Point-to-Multipoint MPLS - Extensions to LSP Ping", RFC 6425, November 2011. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[I-D.ietf-nvo3-framework] | Lasserre, M., Balus, F., Morin, T., Bitar, N. and Y. Rekhter, "Framework for DC Network Virtualization", Internet-Draft draft-ietf-nvo3-framework-02, February 2013. |
[RFC3031] | Rosen, E., Viswanathan, A. and R. Callon, "Multiprotocol Label Switching Architecture", RFC 3031, January 2001. |