Ingress Replication BUM flag in VXLAN

Section 8.3.3 of explains why tunnels used for EVPN ingress replication must include an indication that a given BUM (Broadcast, Unknown Unicast, Multicast) frame was ingress-replicated by the ingress PE. A summary of that section is provided here for the reader’s convenience: In EVPN networks using ingress replication, unknown unicast traffic is flooded with a distinct MPLS label to mark it as BUM traffic. This allows egress PEs to apply Designated Forwarder (DF) filtering for All-Active multihomed sites. If unknown unicast flooding is enabled but no specific unknown-unicast label is used, transient duplicate traffic may occur. This happens when the ingress PE has not yet learned a host MAC via EVPN, while the egress PEs already have. The ingress PE floods the packet to all egress PEs, which then forward multiple copies to the multihomed site. Such duplication occurs only when: the destination host is multihomed (All-Active) unknown-unicast flooding is enabled ingress replication is used the ingress PE hasn’t learned the MAC yet To prevent this, recommends the use of VXLAN-GPE encapsulation , with the ingress PE setting the BUM Traffic Bit (B-bit) to mark the traffic as ingress-replicated BUM. The goal of this document is twofold. First, it requests the allocation of the B-bit (also referred to as the “Ingress Replication BUM” flag) in the VXLAN Flags registry established by , and updates [RFC8365] to allow the use of this flag in VXLAN tunnels. Second, it analyzes additional use cases where the “Ingress Replication BUM” flag should be applied, beyond the scenario described in Section 8.3.3 of .

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. BUM traffic: Broadcast, Unknown unicast and Multicast traffic. PE: Provider Edge device. In this document a PE can be a Leaf node in a Data Center or a traditional Provider Edge router in an MPLS network.

This document requests the allocation of the the Ingress Replication BUM flag (B-bit) in VXLAN tunnels as follows:

This document requests IANA to allocate bit 6 of the VXLAN Flags registry for the “Ingress Replication BUM” flag. The chosen bit position aligns with that used in , facilitating data path implementations that support both VXLAN-GPE and the procedures defined in this document for VXLAN tunnels. In an EVPN broadcast domain that uses Ingress Replication to forward BUM traffic: Ingress PEs MUST set the Ingress Replication BUM flag in VXLAN packets that encapsulate broadcast, multicast, or unknown unicast frames. Egress PEs MUST treat any received packet with the Ingress Replication BUM flag set as BUM traffic, regardless of the destination MAC address in the encapsulated frame. Egress PEs MUST treat any received packet with the Ingress Replication BUM flag unset as known unicast traffic, regardless of the destination MAC address in the encapsulated frame. In an EVPN broadcast domain that uses Assisted Replication , the ingress PE MUST set the Ingress Replication BUM flag in VXLAN packets that encapsulate broadcast, multicast or unknown unicast frames. In this context, the ingress PE may be an Assisted Replication Replicator, Leaf or RNVE (Regular Network Virtualization Edge) node. The following section illustrates how the use of the Ingress Replication BUM flag addresses issues in EVPN multi-homing networks.

Consider the scenario in , where PE1 and PE2 are multi-homed to CE1 in all-active mode, and ingress replication is used. Without the enhancement described in this document, when CE2 sends traffic to MAC M1, it is possible that PE3 has not yet learned M1, even though it already exists in the FIBs of PE1 and PE2. In this case, PE3 will ingress-replicate the frame in VXLAN packets to both PE1 and PE2, and since both egress PEs forward the traffic to CE1, packet duplication occurs. This is considered a transient scenario, but packet duplication may still be harmful for the applications. Using the procedures in this document: In the same example PE3 sets the Ingress Replication BUM flag. PE1 and PE2 receive the VXLAN packet with the flag set and treat it as BUM traffic. As a result, only the Designated Forwarder (DF) forwards the frame to CE1, thereby preventing packet duplication.

illustrates a similar example under different conditions. Without the enhancement described in this document, consider a scenario where CE2 sends a unicast frame destined for MAC M1. It is possible that PE3’s FIB still contains an entry for M1 pointing to PE1, while PE1 has already removed M1 from its own FIB (due to MAC aging or other conditions). In this case, if PE1 is not the Designated Forwarder (DF) for the Ethernet Segment, it will discard the frame, disrupting communication between CE2 and CE1. This represents another transient condition that can negatively affect applications. Using the procedures in this document: PE3 does not set the Ingress Replication BUM flag for the VXLAN packet that encapsulates the frames to M1. PE1 receives the VXLAN packet with the flag unset and therefore treats it as unicast traffic. This allows PE1 to safely forward the frame to CE1, and to any other local attachment circuits, if present. The communication between CE2 and CE1 is no longer disrupted.

The use of the Ingress Replication BUM flag in VXLAN packets is not expected to introduce any new security risks in existing EVPN VXLAN networks. On the contrary, this flag provides a clear indication to receiving PEs whether the traffic was originally classified as BUM or unicast. Since the setting of this bit for BUM-encapsulated packets is automatic and not controlled by configuration commands, an attacker with access to an EVPN VXLAN PE cannot exploit or modify it as a means of attack.

This document requests a new Flag in the registry called "VxLAN Flags", to indicate "Ingress Replication BUM".

The authors would like to acknowledge the authors of and for their initial discussions about the use of an Ingress Replication BUM flag in VXLAN-GPE.

&RFC2119; &RFC8174; &RFC8365; &RFC9574; &I-D.ietf-nvo3-rfc7348bis; &I-D.ietf-nvo3-vxlan-gpe;