summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7900.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7900.txt')
-rw-r--r--doc/rfc/rfc7900.txt3643
1 files changed, 3643 insertions, 0 deletions
diff --git a/doc/rfc/rfc7900.txt b/doc/rfc/rfc7900.txt
new file mode 100644
index 0000000..2a6b8cd
--- /dev/null
+++ b/doc/rfc/rfc7900.txt
@@ -0,0 +1,3643 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) Y. Rekhter, Ed.
+Request for Comments: 7900 E. Rosen, Ed.
+Updates: 6513, 6514, 6625 Juniper Networks, Inc.
+Category: Standards Track R. Aggarwal
+ISSN: 2070-1721 Arktan
+ Y. Cai
+ Alibaba Group
+ T. Morin
+ Orange
+ June 2016
+
+
+ Extranet Multicast in BGP/IP MPLS VPNs
+
+Abstract
+
+ Previous RFCs specify the procedures necessary to allow IP multicast
+ traffic to travel from one site to another within a BGP/MPLS IP VPN
+ (Virtual Private Network). However, it is sometimes desirable to
+ allow multicast traffic whose source is in one VPN to be received by
+ systems that are in another VPN. This is known as a "Multicast VPN
+ (MVPN) extranet". This document updates RFCs 6513, 6514, and 6625 by
+ specifying the procedures that are necessary in order to provide
+ extranet MVPN service.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7900.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 1]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+Copyright Notice
+
+ Copyright (c) 2016 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction ....................................................4
+ 1.1. Terminology ................................................4
+ 1.2. Scope ......................................................7
+ 1.2.1. Customer Multicast Control Protocols ................7
+ 1.2.2. Provider Multicast Control Protocols ................7
+ 1.3. Clarification on Use of Route Distinguishers ...............8
+ 1.4. Overview ...................................................9
+ 2. Extranets and Overlapping Address Spaces .......................12
+ 2.1. Ambiguity: P-Tunnel with Extranet/Non-extranet Flows ......14
+ 2.2. Ambiguity: P-Tunnel with Multiple Extranet Flows ..........16
+ 2.3. Preventing Misdelivery in These Scenarios .................18
+ 2.3.1. Do Not Deliver Packets from the Wrong P-tunnel .....18
+ 2.3.2. Policies to Prevent Ambiguity on a P-Tunnel ........20
+ 3. Extranet Transmission Models ...................................21
+ 3.1. Transmitting an Extranet C-Flow on a Single PMSI ..........21
+ 3.1.1. Without Extranet Separation ........................22
+ 3.1.2. With Extranet Separation ...........................22
+ 3.2. Transmitting an Extranet C-Flow over Multiple PMSIs .......23
+ 4. Distribution of Routes That Match C-S/C-RP Addresses ...........23
+ 4.1. UMH-Eligible Routes .......................................23
+ 4.1.1. Extranet Separation ................................24
+ 4.2. Distribution of Unicast Routes Matching C-RPs and DRs .....25
+ 4.3. Route Targets and Ambiguous UMH-Eligible Routes ...........26
+ 4.4. Dynamically Marking Extranet Routes .......................27
+ 4.4.1. The Extranet Source Extended Community .............27
+ 4.4.2. Distribution of Extranet Source Extended
+ Community ..........................................29
+ 4.5. The Extranet Separation Extended Community ................30
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 2]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ 5. Origination and Distribution of BGP A-D Routes .................30
+ 5.1. Route Targets of UMH-Eligible Routes and A-D Routes .......30
+ 5.2. Considerations for Particular Inclusive Tunnel Types ......33
+ 5.2.1. RSVP-TE P2MP or Ingress Replication ................33
+ 5.2.2. Ingress Replication ................................34
+ 6. When PIM Is the PE-PE C-Multicast Control Plane ................35
+ 6.1. Provisioning VRFs with RTs ................................36
+ 6.1.1. Incoming and Outgoing Extranet RTs .................36
+ 6.1.2. UMH-Eligible Routes and RTs ........................37
+ 6.1.3. PIM C-Instance Reverse Path Forwarding
+ Determination ......................................37
+ 6.2. "Single PMSI per C-Flow" Model ............................38
+ 6.2.1. Forming the MI-PMSIs ...............................38
+ 6.2.2. S-PMSIs ............................................41
+ 6.2.3. Sending PIM Control Packets ........................42
+ 6.2.4. Receiving PIM Control Packets ......................43
+ 6.2.5. Sending and Receiving Data Packets .................43
+ 6.3. "Multiple PMSIs per C-Flow" Model .........................43
+ 6.3.1. Forming the MI-PMSIs ...............................44
+ 7. When BGP Is the PE-PE C-Multicast Control Plane ................46
+ 7.1. Originating C-Multicast Routes ............................46
+ 7.2. Originating A-D Routes without Extranet Separation ........47
+ 7.2.1. Intra-AS I-PMSI A-D Routes .........................47
+ 7.2.2. S-PMSI A-D Routes ..................................47
+ 7.2.3. Source Active A-D Routes ...........................48
+ 7.2.3.1. When Inter-Site Shared Trees Are Used .....48
+ 7.2.3.2. When Inter-Site Shared Trees Are
+ Not Used ..................................49
+ 7.3. Originating A-D Routes with Extranet Separation ...........49
+ 7.3.1. Intra-AS I-PMSI A-D Routes .........................49
+ 7.3.2. S-PMSI A-D Routes ..................................50
+ 7.3.3. Source Active A-D Routes ...........................52
+ 7.4. Determining the Expected P-Tunnel for a C-Flow ............52
+ 7.4.1. (C-S,C-G) S-PMSI A-D Routes ........................54
+ 7.4.2. (C-S,C-*) S-PMSI A-D Routes ........................54
+ 7.4.3. (C-*,C-G) S-PMSI A-D Routes ........................55
+ 7.4.4. (C-*,C-*) S-PMSI A-D Routes ........................56
+ 7.4.5. I-PMSI A-D Routes ..................................56
+ 7.5. Packets Arriving from the Wrong P-Tunnel ..................57
+ 8. Multiple Extranet VRFs on the Same PE ..........................57
+ 9. IANA Considerations ............................................58
+ 10. Security Considerations .......................................59
+ 11. References ....................................................61
+ 11.1. Normative References .....................................61
+ 11.2. Informative References ...................................62
+ Acknowledgments ...................................................64
+ Contributors ......................................................64
+ Authors' Addresses ................................................65
+
+
+
+Rekhter, et al. Standards Track [Page 3]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+1. Introduction
+
+ Previous RFCs [RFC6513] [RFC6514] specify the procedures necessary to
+ allow IP multicast traffic to travel from one site to another within
+ a BGP/MPLS IP VPN (Virtual Private Network). However, it is
+ sometimes desirable to allow multicast traffic whose source is in one
+ VPN to be received by systems that are in another VPN. This is known
+ as an "extranet Multicast VPN (MVPN)". This document specifies the
+ procedures that are necessary in order to provide extranet MVPN
+ functionality.
+
+ This document updates RFCs 6513, 6514, and 6625 by specifying the
+ procedures that are necessary in order to provide extranet MVPN
+ service.
+
+1.1. Terminology
+
+ This document uses terminology from [RFC6513] and in particular uses
+ the prefixes "C-" and "P-" as specified in Section 3.1 of [RFC6513],
+ and "A-D routes" for "auto-discovery routes".
+
+ The term "Upstream Multicast Hop" (UMH) is used as defined in
+ [RFC6513].
+
+ The term "UMH-eligible route" is used to mean "route eligible for UMH
+ determination", as defined in Section 5.1.1 of [RFC6513]. We will
+ say that a given UMH-eligible route or unicast route "matches" a
+ given IP address, in the context of a given Virtual Routing and
+ Forwarding table (VRF), if the address prefix of the given route is
+ the longest match in that VRF for the given IP address. We will
+ sometimes say that a route "matches" a particular host if the route
+ matches an IP address of the host.
+
+ We follow the terminology of Section 3.2 of [RFC6625] when talking of
+ a "Selective Provider Multicast Service Interface" (S-PMSI) A-D route
+ being "installed". That is, we say that an S-PMSI A-D route is
+ "installed" (in a given VRF) if it has been selected by the BGP
+ decision process as the preferred route for its Network Layer
+ Reachability Information (NLRI). We also follow the terminology of
+ Section 3.2 of [RFC6625] when saying that an S-PMSI A-D route has
+ been "originated by a given PE"; this means that the given Provider
+ Edge's (PE's) IP address is contained in the Originating Router's IP
+ Address field in the NLRI of the route.
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 4]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ We use the following additional terminology and notation:
+
+ o Extranet C-source: a multicast source, in a given VPN, that is
+ allowed by policy to send multicast traffic to receivers that are
+ in other VPNs.
+
+ o Extranet C-receiver: a multicast receiver, in a given VPN, that is
+ allowed by policy to receive multicast traffic from extranet
+ C-sources that are in other VPNs.
+
+ o Extranet C-flow: a multicast flow (with a specified C-source
+ address and C-group address) with the following properties: its
+ source is an extranet C-source, and it is allowed by policy to
+ have extranet C-receivers.
+
+ o Extranet C-group: a multicast group address that is in the
+ "Any-Source Multicast" (ASM) group address range and that is
+ allowed by policy to have extranet C-sources and extranet
+ C-receivers that are not all in the same VPN. Note that we will
+ sometimes refer to "Source-Specific Multicast (SSM) C-group
+ addresses" (i.e., C-group addresses in the SSM group address
+ range) but will never call them "extranet C-groups".
+
+ N.B.: Any source of traffic for an extranet C-group is considered
+ to be an extranet C-source, and any receiver of traffic addressed
+ to an extranet C-group is considered to be an extranet C-receiver.
+
+ o Extranet C-RP: a multicast Rendezvous Point (RP) for an extranet
+ C-group; it is allowed by policy to receive PIM Register messages
+ [RFC7761] from outside its VPN and to send multicast data packets
+ to extranet C-receivers outside its VPN.
+
+ o Host(C-S,A): the host (or, if C-S is an "anycast address", the set
+ of hosts) denoted by the address C-S in the context of VPN-A. For
+ example, if a particular C-source in VPN-A has address C-S, then
+ Host(C-S,A) refers to that C-source.
+
+ o "SAFI n" route: a BGP route whose Address Family Identifier (AFI)
+ is either 1 (IPv4) or 2 (IPv6) and whose Subsequent Address Family
+ Identifier (SAFI) is "n".
+
+ o PTA: PMSI Tunnel Attribute [RFC6514].
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 5]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ Note that a given extranet C-source is not necessarily allowed to
+ transmit to every extranet C-receiver; policy determines which
+ extranet C-sources are allowed to transmit to which extranet
+ C-receivers. However, in the case of an extranet (ASM) C-group, all
+ transmitters to the group are allowed to transmit to all the
+ receivers of the group, and all the receivers of the group are
+ allowed to receive from all transmitters to the group.
+
+ We say that a given VRF "contains" or "has" a multicast C-source (or
+ that the C-source is "in" the VRF) if that C-source is in a site
+ connected to that VRF and the VRF originates a UMH-eligible route
+ (see Section 4) that matches the address of the C-source.
+
+ We say that a given VRF "contains" or "has" a multicast C-receiver
+ (or that the C-receiver is "in" the VRF) if that C-receiver is in a
+ site connected to that VRF.
+
+ We say that a given VRF "contains" or "has" the C-RP for a given ASM
+ group (or that the C-RP is "in" the VRF) if that C-RP is in a site
+ connected to that VRF and the VRF originates a unicast route and a
+ (possibly different, possibly the same) UMH-eligible route (see
+ Section 4) whose respective address prefixes match the C-RP address.
+
+ [RFC6513] allows a set of "P-tunnels" (defined in Section 3.2 of
+ [RFC6513]) to be aggregated together and transported via an outer
+ P-tunnel; i.e., it allows for the use of hierarchical Label Switched
+ Paths (LSPs) as P-tunnels. A two-level hierarchical LSP, for
+ example, can be thought of as a set of "inner tunnels" aggregated
+ into an outer tunnel. In this document, when we speak of a P-tunnel,
+ we are always speaking of the innermost P-tunnel, i.e., of a P-tunnel
+ at the lowest hierarchical level. P-tunnels are identified in the
+ PMSI Tunnel attributes ("PTAs" in this document) [RFC6514] of BGP
+ auto-discovery (A-D) routes. Two PTAs that have the same Tunnel Type
+ and Tunnel Identifier fields but different MPLS label fields are thus
+ considered to identify two different P-tunnels. (That is, for the
+ purposes of this document, the MPLS label included in the PTA, if
+ any, is considered to be part of the tunnel identifier.)
+
+ We say that the NLRI of a BGP S-PMSI A-D route or Source Active A-D
+ route contains (C-S,C-G) if its Multicast Source field contains C-S
+ and its Multicast Group field contains C-G. If either or both of
+ these fields are encoded as a wildcard, we will say that the NLRI
+ contains (C-*,C-*) (both fields encoded as wildcards), (C-*,C-G)
+ (Multicast Source field encoded as a wildcard), or (C-S,C-*)
+ (Multicast Group field encoded as a wildcard).
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 6]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ We use the term "VPN security violation" to refer to any situation in
+ which a packet is delivered to a particular VPN, even though, by
+ policy, it should not be delivered to that VPN.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ [RFC2119].
+
+1.2. Scope
+
+1.2.1. Customer Multicast Control Protocols
+
+ This document presumes that the VPN customer is using PIM - Sparse
+ Mode (PIM-SM) [RFC7761] as the multicast control protocol at the
+ customer sites. PIM-SM may be used in either the ASM service model
+ or the SSM service model; this document covers both cases. Support
+ for other customer IP multicast control protocols (e.g., [RFC5015],
+ PIM - Dense Mode) is outside the scope of this document. Support for
+ the use of MPLS multicast control protocols (e.g., [RFC6388]
+ [RFC4875]) by customer sites is also outside the scope of this
+ document.
+
+ When a VPN customer uses ASM, the customer routers need to be able to
+ map from a C-group address to a C-RP address. These mappings can be
+ provisioned in each router, or they can be discovered dynamically
+ through protocols such as the Bootstrap Router (BSR) mechanism
+ [RFC5059]. However, it cannot be assumed that such protocols will
+ automatically work in the context of an extranet. Discussion of the
+ use of such protocols in an extranet is outside the scope of this
+ document.
+
+1.2.2. Provider Multicast Control Protocols
+
+ [RFC6513] allows either PIM or BGP to be used as the protocol for
+ distributing customer multicast routing information. Except where
+ otherwise specified, such as in Sections 6 and 7, the procedures of
+ this document cover both cases.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 7]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+1.3. Clarification on Use of Route Distinguishers
+
+ [RFC4364] requires that every VRF be associated with one or more
+ Route Distinguishers (RDs). Each VPN-IPv4 or VPN-IPv6 route that is
+ exported from a particular VRF contains, in its NLRI, an RD that is
+ associated with that VRF.
+
+ [RFC4364] allows a given RD to be associated with more than one VRF,
+ as long as all the VRFs associated with that RD belong to the same
+ VPN. However, in the most common deployment model, each RD is
+ associated with one and only one VRF. [RFC6513] and [RFC6514]
+ presuppose this deployment model. That is, [RFC6513] and [RFC6514]
+ presuppose that every RD is associated with one and only one VRF. We
+ will call this the "unique VRF per RD" condition.
+
+ [RFC6514] defines the MCAST-VPN address family, which has a number of
+ route types. Each Intra-Autonomous System (Intra-AS) "Inclusive
+ Provider Multicast Service Interface" (I-PMSI) A-D route, S-PMSI A-D
+ route, and Source Active A-D route, when exported from a given VRF,
+ contains, in its NLRI, an RD that is associated with the VRF.
+ [RFC6513] and [RFC6514] also discuss a class of routes known as
+ "UMH-eligible" routes; when a UMH-eligible route is exported from a
+ given VRF, its NLRI contains an RD of the VRF.
+
+ [RFC6514] also defines MCAST-VPN routes whose NLRIs do not contain an
+ RD of the VRF from which they are exported: the C-multicast Join
+ routes and the Leaf A-D routes.
+
+ Those route types that, when exported from a given VRF, contain (in
+ their NLRIs) an RD of the VRF, will be known in this document as
+ "local-RD routes".
+
+ Given the "unique VRF per RD" condition, if one sees that two
+ local-RD routes have the same RD, one can infer that the two routes
+ originated from the same VRF. This inference can be drawn even if
+ the two routes do not have the same SAFI, as long as the two routes
+ are both local-RD routes.
+
+ This document builds upon [RFC6513] and [RFC6514]; therefore, the
+ "unique VRF per RD" condition is REQUIRED.
+
+ [RFC6514] presupposes a further requirement on the use of RDs in the
+ local-RD routes exported from a given VRF. Suppose that a given VRF
+ exports a Source Active A-D route containing (C-S,C-G). That VRF
+ will also export a UMH-eligible route matching C-S. [RFC6514]
+ presupposes that the UMH-eligible route and the Source Active A-D
+ route have the same RD.
+
+
+
+
+Rekhter, et al. Standards Track [Page 8]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ In most cases, not only is a given RD associated with only a single
+ VRF, but a given VRF is associated with only a single RD. We will
+ call this the "unique RD per VRF" condition. When this condition
+ holds, all the local-RD routes exported from a given VRF will have
+ the same RD. This ensures that the presupposition of the previous
+ paragraph will hold, i.e., that the RD in a Source Active A-D route
+ exported from a given VRF will have the same RD as the corresponding
+ UMH-eligible route exported from the same VRF.
+
+ Section 7.3 of this document describes a procedure known as "extranet
+ separation". When extranet separation is NOT being used, it is
+ REQUIRED by this document that the "unique RD per VRF" condition
+ hold. This ensures that all the local-RD routes exported from a
+ given VRF will have the same RD.
+
+ When extranet separation is used, a VRF that contains both extranet
+ sources and non-extranet sources MUST be configured with two RDs.
+ One of these RDs is known as the "default RD", and the other is known
+ as the "extranet RD". It MUST be known by configuration which RD is
+ the default RD and which is the extranet RD.
+
+ When a VRF is configured with only one RD, we will refer to that RD
+ as the "default RD".
+
+ In general, local-RD routes exported from a given VRF will contain
+ the default RD. However, when extranet separation is used, some of
+ the local-RD routes exported from the VRF will contain the
+ extranet RD. Details concerning the exported routes that contain
+ the extranet RD can be found in Sections 4.1 and 7.3.
+
+ Note that the "unique VRF per RD" condition applies to the
+ extranet RD as well as the default RD. That is, a given extranet RD
+ is associated with a unique VRF.
+
+1.4. Overview
+
+ Consider two VPNs, VPN-S and VPN-R, each of which supports MVPN
+ functionality as specified in [RFC6513] and/or [RFC6514]. In the
+ simplest configuration, VPN-S is a collection of VRFs, each of which
+ is configured with a particular Route Target (RT) value (call it
+ "RT-S") as its import RT and as its export RT. Similarly, VPN-R is a
+ collection of VRFs, each of which is configured with a particular RT
+ value (call it "RT-R") as its import RT and as its export RT.
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 9]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ In this configuration, multicast C-receivers contained in a VPN-R VRF
+ cannot receive multicast data traffic from multicast C-sources
+ contained in a VPN-S VRF. If it is desired to allow this, one needs
+ to create an MVPN "extranet". Creating an extranet requires
+ procedures in addition to those specified in [RFC6513], [RFC6514],
+ and [RFC6625]; this document specifies these additional procedures.
+
+ In the example above, the additional procedures will allow a selected
+ set of routes exported from the VPN-S VRFs (i.e., from the VRFs
+ containing extranet C-sources) to be imported into the VPN-R VRFs
+ (i.e., into the VRFs containing extranet C-receivers). These routes
+ include the routes that are to be eligible for use as UMH routes (see
+ Section 5.1 of [RFC6513]) in the extranet, as well as a selected set
+ of BGP A-D routes (Intra-AS I-PMSI A-D routes, S-PMSI A-D routes, and
+ Source Active A-D routes). Importing these routes into the VPN-R
+ VRFs makes it possible to determine, in the context of a VPN-R VRF,
+ that a particular C-multicast Join needs to be delivered to a
+ particular VPN-S VRF. It also makes it possible to determine, in the
+ context of a VPN-R VRF, the P-tunnel through which the aforementioned
+ VPN-S VRF sends a particular C-flow.
+
+ Depending on the type of P-tunnel used, it may also be necessary for
+ Leaf A-D routes to be exported by one or more VPN-R VRFs and imported
+ into a VPN-S VRF.
+
+ There are no extranet-specific procedures governing the use and
+ distribution of BGP C-multicast routes.
+
+ If PIM is used as the PE-PE protocol for distributing C-multicast
+ routing information, additional BGP A-D routes must be exported from
+ the VPN-R VRFs and imported into the VPN-S VRFs, so that the VPN-S
+ VRFs can join the P-tunnels that the VPN-R VRFs use for sending PIM
+ control messages. Details can be found in Section 6.
+
+ The simple example above describes an extranet created from two
+ MVPNs, one of which contains extranet C-sources and one of which
+ contains extranet C-receivers. However, the procedures described in
+ this document allow for much more complicated scenarios.
+
+ For instance, an extranet may contain extranet C-sources and/or
+ extranet C-receivers from an arbitrary number of VPNs, not just from
+ two VPNs. An extranet C-receiver in VPN-R may be allowed to receive
+ multicast traffic from extranet C-sources in VPN-A, VPN-B, and VPN-C.
+ Similarly, extranet C-sources in VPN-S may be allowed to send
+ multicast traffic to multicast C-receivers that are in VPN-A, VPN-B,
+ VPN-C, etc.
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 10]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ A given VPN customer may desire that only some of its multicast
+ C-sources be treated as extranet C-sources. This can be accomplished
+ by appropriate provisioning of the import and export RTs of that
+ customer's VRFs (as well as the VRFs of other VPNs that contain
+ extranet C-receivers for extranet C-flows of the given customer).
+
+ A given VPN customer may desire that some of its extranet C-sources
+ can transmit only to a certain set of VPNs while other of its
+ extranet C-sources can transmit only to a different set of VPNs.
+ This can be accomplished by provisioning the VRFs to export different
+ routes with different RTs.
+
+ In all these cases, the VPN customers set the policies, and the
+ Service Provider (SP) implements the policies by the way it
+ provisions the import and export RTs of the VRFs. It is assumed that
+ the customer communicates to the SP the set of extranet C-source
+ addresses and the set of VPNs to which each C-source can transmit.
+ (Recall that every C-source that can transmit to an extranet C-group
+ is an extranet C-source and must be able to transmit to any VPN that
+ has receivers for that group. This must be taken into account when
+ the provisioning is done.) This customer/SP communication is part of
+ the service provisioning process and is outside the scope of this
+ document.
+
+ It is possible that an extranet C-source will transmit both extranet
+ C-flows and non-extranet C-flows. However, if extranet C-receiver
+ C-R can receive extranet C-flows from extranet C-source C-S, the
+ procedures of this document do not prevent C-R from requesting and
+ receiving the non-extranet flows that are transmitted by C-S.
+ Therefore, allowing an extranet C-source to transmit non-extranet
+ C-flows is NOT RECOMMENDED. However, the SP has no control over the
+ set of C-flows transmitted by a given C-source and can do no more
+ than communicate this recommendation to its customers.
+ (Alternatively, the customer and SP may coordinate on setting up
+ filters to prevent unauthorized flows from being sent to a customer
+ site; such a procedure is outside the scope of this document.) See
+ Section 10 ("Security Considerations") for additional discussion of
+ this issue.
+
+ Whenever a VPN is provisioned, there is a risk that errors in
+ provisioning may result in an unintended cross-connection of VPNs.
+ This would create a security problem for the customers. When
+ provisioning an extranet, attention to detail is particularly
+ important, as an extranet intentionally cross-connects VPNs. Care
+ must always be taken to ensure that the cross-connections are
+ according to the policy agreed upon by the SP and its customers.
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 11]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ Additionally, if one is connecting two VPNs that have overlapping
+ address spaces, one has to be sure that the inter-VPN traffic neither
+ originates from nor is destined to the part of the address space that
+ is in the overlap. Other problems that can arise due to overlapping
+ address spaces are discussed in Section 2.
+
+2. Extranets and Overlapping Address Spaces
+
+ As specified in [RFC4364], the address space of one VPN may overlap
+ with the address space of another. A given address may be
+ "ambiguous" in that it denotes one system within VPN-A and a
+ different system within VPN-B. In the notation of Section 1.1,
+ if an address C-S is ambiguous between VPN-A and VPN-B, then
+ Host(C-S,A) != Host(C-S,B). However, any given address C-S MUST be
+ unambiguous (i.e., MUST denote a single system) in the context of a
+ given VPN.
+
+ When a set of VRFs belonging to different VPNs are combined into an
+ extranet, it is no longer sufficient for an address to be unambiguous
+ only within the context of a single VPN:
+
+ 1. Suppose that C-S is the address of a given extranet C-source
+ contained in VPN-A. Now consider the set of VPNs
+ {VPN-B, VPN-C, ...} containing extranet C-receivers that are
+ allowed by policy to receive extranet C-flows from VPN-A's C-S.
+ The address C-S MUST be unambiguous among this entire set of VPNs
+ {VPN-A, VPN-B, VPN-C, ...}; i.e., Host(C-S,A) == Host(C-S,B) ==
+ Host(C-S,C).
+
+ The implication is that C-S in VPN-A is not necessarily an
+ extranet C-source for all VPNs that contain extranet C-receivers;
+ policy MUST be used to ensure that C-S is an extranet C-source
+ for a given VPN, say VPN-B, only if C-S is unambiguous between
+ VPN-A and VPN-B.
+
+ 2. If a given VRF contains extranet C-receivers for a given extranet
+ C-source, then the address of this C-source MUST be unambiguous
+ among all the extranet C-sources for which there are C-receivers
+ in the VRF. This is true whether or not C-sources are in VRFs
+ that belong to the same VPN or different VPNs.
+
+ The implication is that if C-S in VRF-X is ambiguous with C-S in
+ VRF-Y, then there MUST NOT be any VRF, say VRF-Z, containing
+ C-receivers that are allowed by policy to receive extranet
+ C-flows from both C-S in VRF-X and C-S in VRF-Y.
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 12]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ Note: A VPN customer may be using anycast addresses. An anycast
+ address is intentionally ambiguous, as it denotes a set of systems
+ rather than a single system. In this document, we will consider an
+ anycast address to be unambiguous in a given context as long as it
+ denotes the same set of systems whenever it occurs in that context.
+
+ A multicast C-group address, say C-G, may also be ambiguous in that
+ it may be used for one multicast group in VPN-A and for an entirely
+ different multicast group in VPN-B. If a set of MVPNs are combined
+ into an extranet and C-G is an extranet C-group, it is necessary to
+ ensure that C-G is unambiguous among the entire set of VPNs whose
+ VRFs contain extranet C-sources, C-RPs, and/or extranet C-receivers
+ for that C-group. This may require, as part of the provisioning
+ process, customer/SP communication that is outside the scope of this
+ document.
+
+ Subject to these restrictions, the SP has complete control over the
+ distribution of routes in an MVPN. This control is exerted by
+ provisioning either (1) the export RTs on the VRFs that originate the
+ routes (i.e., the VRFs that contain the extranet C-sources) or
+ (2) the import RTs on the VRFs that receive the routes (i.e., the
+ VRFs that contain the extranet C-receivers), or both.
+
+ Some of the rules and restrictions on provisioning the RTs are
+ applicable to all extranets; these are specified in Section 4.
+ Sections 6 and 7 list additional rules and restrictions that are
+ applicable only to particular extranet scenarios.
+
+ Even if all the RTs are provisioned according to the above rules and
+ restrictions, it is still possible for a single P-tunnel to contain
+ multicast data packets whose source and/or group addresses are
+ ambiguous in the context of the set of PEs that receive data from the
+ P-tunnel. That is, the above rules and restrictions are necessary,
+ but not sufficient, to prevent address ambiguity from causing
+ misdelivery of traffic. To prevent such misdelivery, additional
+ procedures or policies must be used.
+
+ Sections 2.1 and 2.2 describe scenarios in which a given P-tunnel may
+ carry data packets with ambiguous addresses. The additional
+ procedures and policies needed to prevent misdelivery of data in
+ those scenarios are outlined in Section 2.3. (The detailed
+ procedures described in Sections 6 and 7 incorporate the
+ considerations discussed in Section 2.3.)
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 13]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+2.1. Ambiguity: P-Tunnel with Extranet/Non-extranet Flows
+
+ In the following, we will use the notation "VRF A-n" to mean "VRF n
+ of VPN-A".
+
+ If VPN-A and VPN-B have overlapping address spaces and are part of
+ the same extranet, then the following problem may exist, as
+ illustrated in Figure 1.
+
+ C-S2(A) C-S1 Join(C-S2(A),G)
+ \ / /
+ \ / /
+ +-------+---+ P1: (C-S1,G), (C-S2(A),G) +---+--------+
+ |VRF A-1| |---------------------------------| |VRF A-2 |
+ +-------+PE1| |PE2+--------+
+ |VRF B-1| |---------------------------------| |VRF B-2 |
+ +-------+---+ P2: (C-S2(B),G) +---+--------+
+ / / \
+ / / \
+ C-S2(B) Join(C-S2(B),G) Join(C-S1,G)
+
+ Figure 1: Ambiguity of Extranet and Non-extranet Source Address
+
+ Suppose that:
+
+ o C-G is an SSM C-group used in VPN-A and VPN-B.
+
+ o VRF A-1, on PE1, contains an extranet C-source, with IP address
+ C-S1, that is allowed to have receivers in VPN-B. VRF A-1 thus
+ exports to VPN-B a UMH-eligible route matching C-S1.
+
+ o In addition, VRF A-1 contains a non-extranet C-source with IP
+ address C-S2. VRF A-1 exports a UMH-eligible route matching C-S2
+ to other VPN-A VRFs but NOT to VPN-B.
+
+ o VRF B-1, also on PE1, contains a non-extranet C-source with IP
+ address C-S2. A UMH-eligible route matching C-S2 is thus exported
+ from VRF B-1 to other VRFs in VPN-B.
+
+ o Host(C-S2,A) != Host(C-S2,B). That is, C-S2 is an ambiguous
+ address in any extranet that contains both VPN-A VRFs and VPN-B
+ VRFs.
+
+ o VRF B-2, on some other PE, say PE2, requests the multicast flow
+ (C-S1,C-G). In the context of VRF B-2, C-S1 matches the route
+ exported from VRF A-1. Thus, B-2's request to receive the
+ (C-S1,C-G) flow is transmitted to VRF A-1.
+
+
+
+
+Rekhter, et al. Standards Track [Page 14]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ o VRF A-1 responds to VRF B-2's request for (C-S1,C-G) traffic by
+ transmitting that traffic on P-tunnel P1.
+
+ o VRF B-2 joins P-tunnel P1 in order to receive the (C-S1,C-G)
+ traffic.
+
+ o VRF A-2, on PE2, requests the (non-extranet) multicast flow
+ (C-S2,C-G). In the context of VRF A-2, C-S2 matches the route
+ exported from VRF A-1. Thus, A-2's request to receive the
+ (C-S2,C-G) traffic is transmitted to VRF A-1.
+
+ o VRF A-1 responds to VRF A-2's request for (C-S2,C-G) traffic by
+ transmitting that traffic on P-tunnel P1.
+
+ o VRF A-2 joins P-tunnel P1 in order to receive the (C-S2,C-G)
+ traffic.
+
+ o VRF B-2 requests the (non-extranet) multicast flow (C-S2,C-G). In
+ the context of VRF B-2, C-S2 matches the route exported from VRF
+ B-1. Thus, B-2's request to receive the (C-S2,C-G) flow is
+ transmitted to VRF B-1.
+
+ o VRF B-1 responds to VRF B-2's request for (C-S2,C-G) traffic by
+ transmitting that traffic on P-tunnel P2.
+
+ o VRF B-2 joins P-tunnel P2.
+
+ Since VRF B-2 has joined P-tunnel P1 and P-tunnel P2, it will receive
+ (C-S2,C-G) traffic on both P-tunnels. The (C-S2,C-G) traffic that
+ VRF B-2 needs to receive is traveling on P-tunnel P2; this (C-S2,C-G)
+ traffic must be forwarded by B-2 to any attached customer sites that
+ have C-receivers for it. But B-2 MUST discard the (C-S2,C-G) traffic
+ that it receives on P1, as this is not the traffic that it has
+ requested. If the (C-S2,C-G) traffic arriving on P1 were forwarded
+ to B-2's customer sites, the C-receivers would not be able to
+ distinguish the two flows, and the result would be a corrupted data
+ stream.
+
+ Note that the procedures of Section 9.1.1 of [RFC6513] ("Discarding
+ Packets from Wrong PE") will not cause VRF B-2 to discard the
+ (C-S2,C-G) traffic that arrives on tunnel P1, because P1 and P2 have
+ the same upstream PE.
+
+ Therefore, it is necessary to EITHER (1) prevent the above scenario
+ from occurring OR (2) ensure that multicast data packets will be
+ discarded if they arrive on the wrong P-tunnel (even if they arrive
+ from the expected PE). See Section 2.3 for further discussion of
+ this issue.
+
+
+
+Rekhter, et al. Standards Track [Page 15]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+2.2. Ambiguity: P-Tunnel with Multiple Extranet Flows
+
+ Figure 2 illustrates another example of how overlapping address
+ spaces may cause a problem.
+
+ C-S2(A2D) C-S1(A2C) Join(C-S2(A2D),G)
+ \ / /
+ \ / /
+ +-------+---+ P1: (C-S1(A2C),G), (C-S2(A2D),G)+---+--------+
+ |VRF A-1| |---------------------------------| |VRF D-1 |
+ +-------+PE1| |PE2+--------+
+ |VRF B-1| |---------------------------------| |VRF C-1 |
+ +-------+---+ P2: (C-S2(B2C),G) +---+--------+
+ / / \
+ / / \
+ C-S2(B2C) / \
+ Join Join
+ (C-S2(B2C),G) (C-S1(A2C),G)
+
+ Figure 2: Ambiguity of Extranet Source Addresses
+
+ Suppose that:
+
+ o C-G is an SSM C-group address that is used in VPN-A, VPN-B, VPN-C,
+ and VPN-D.
+
+ o VRF A-1, on PE1, contains an extranet C-source, with IP address
+ C-S1, that is allowed by policy to have C-receivers in VPN-C (but
+ not in VPN-D). VRF A-1 thus exports a UMH-eligible route matching
+ C-S1 to VPN-C.
+
+ o In addition, VRF A-1 contains an extranet C-source, with IP
+ address C-S2, that is allowed by policy to have C-receivers in
+ VPN-D (but not in VPN-C). VRF A-1 thus exports a UMH-eligible
+ route matching C-S2 to VPN-D.
+
+ o VRF B-1, also on PE1, contains an extranet C-source, with IP
+ address C-S2, that is allowed by policy to have C-receivers in
+ VPN-C (but not in VPN-D). VRF B-1 thus exports a UMH-eligible
+ route matching C-S2 to VPN-C.
+
+ o Host(C-S2,A) != Host(C-S2,B). That is, C-S2 is an ambiguous
+ address in any extranet that contains both VPN-A VRFs and
+ VPN-B VRFs.
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 16]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ o VRF C-1, on some other PE, say PE2, requests the extranet
+ multicast flow (C-S1,C-G). In the context of VRF C-1, C-S1
+ matches the route exported from VRF A-1. Thus, C-1's request to
+ receive the (C-S1,C-G) flow is transmitted to VRF A-1.
+
+ o VRF A-1 responds to VRF C-1's request for (C-S1,C-G) traffic by
+ transmitting that traffic on P-tunnel P1.
+
+ o VRF C-1 joins P-tunnel P1 in order to receive the (C-S1,C-G)
+ traffic.
+
+ o VRF C-1 requests the extranet multicast flow (C-S2,C-G). In the
+ context of VRF C-1, C-S2 matches the route exported from VRF B-1.
+ Thus, C-1's request to receive the (C-S2,C-G) flow is transmitted
+ to VRF B-1.
+
+ o VRF B-1 responds by transmitting its (C-S2,C-G) traffic on
+ P-tunnel P2.
+
+ o VRF C-1 joins P-tunnel P2 in order to receive the (C-S2,C-G)
+ traffic.
+
+ o VRF D-1, on PE2, requests the extranet multicast flow (C-S2,C-G).
+ In the context of VRF D-1, C-S2 matches the route exported from
+ VRF A-1. Thus, D-1's request to receive the (C-S2,C-G) flow is
+ transmitted to VRF A-1.
+
+ o VRF A-1 responds by transmitting its (C-S2,C-G) traffic on
+ P-tunnel P1.
+
+ o VRF D-1 joins P-tunnel P1 in order to receive the (C-S2,C-G)
+ traffic.
+
+ In this example, VRF A-1 has chosen to use the same P-tunnel, P1, to
+ carry both its (C-S2,C-G) traffic and the (C-S1,C-G) traffic. VRF
+ C-1 has joined tunnel P1 in order to receive the (C-S1,C-G) traffic
+ from VRF A-1, which means that VRF C-1 will also receive the unwanted
+ (C-S2,C-G) traffic from P1. VRF C-1 is also expecting (C-S2,C-G)
+ traffic from VRF B-1; this traffic will be received from P2. Thus,
+ VRF C-1 is receiving (C-S2,C-G) traffic on both tunnels, and both
+ C-flows arrive from the expected PE, PE1.
+
+ Therefore, it is necessary to EITHER (1) prevent the above scenario
+ from occurring OR (2) ensure that VRF C-1 discards any (C-S,C-G)
+ traffic that arrives from the wrong P-tunnel. See Section 2.3 for
+ further discussion of this issue.
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 17]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ Note that the ambiguity described in this section (Section 2.2) would
+ not occur if C-G were an (ASM) extranet C-group. In that case, the
+ scenario would violate the rule, given previously in Section 2,
+ requiring that all sources sending to a particular ASM extranet
+ C-group must have addresses that are unambiguous over all the MVPNs
+ receiving traffic for that C-group.
+
+2.3. Preventing Misdelivery in These Scenarios
+
+ There are two ways to prevent the scenarios discussed in Sections 2.1
+ and 2.2 from resulting in misdelivery of data; these techniques are
+ discussed in Sections 2.3.1 and 2.3.2, respectively.
+
+2.3.1. Do Not Deliver Packets from the Wrong P-tunnel
+
+ Consider a particular C-flow that has receivers in a particular VRF.
+ Sections 6 and 7 describe a set of procedures that enable an egress
+ PE to determine the "expected P-tunnel" for that C-flow in the
+ context of that VRF. If a PE receives packets of the C-flow (as
+ determined by the IP source and/or destination address of the
+ packet), it checks to see if the packet was received on the expected
+ P-tunnel for that VRF. If so, the packet is delivered to the VRF
+ (and thus to the C-flow's receivers in that VRF). If not, the packet
+ is not delivered to the VRF.
+
+ Note that at a given egress PE, the wrong P-tunnel for one VRF may be
+ the correct P-tunnel for another.
+
+ These procedures, if applied at every PE that joins a given P-tunnel,
+ are sufficient to prevent misdelivery of traffic in the scenarios
+ discussed in Sections 2.1 and 2.2.
+
+ IF these procedures cannot be applied by every PE that is attached to
+ a given extranet, then the policies of Section 2.3.2 MUST be applied
+ at every VRF containing C-sources for that extranet.
+
+ In some cases, however, it may be safe to deliver packets that arrive
+ from other than the expected P-tunnel. Suppose that it is known that
+ every packet gets transmitted on only a single P-tunnel. (This will
+ be the case if the "single PMSI per C-flow" transmission model,
+ discussed in Section 3.1, is being used.) Suppose also that it is
+ known that T1 and T2 carry only packets that arrived at the same
+ ingress PE, over one or more VRF interfaces that are associated with
+ the same VRF (i.e., that there is a particular VRF that is the
+ ingress VRF for ALL the packets carried by T1 or T2). In this case,
+ if T1 is the expected P-tunnel for a given (C-S,C-G), it is NOT
+ necessary to discard (S,G) packets that arrive over T2.
+
+
+
+
+Rekhter, et al. Standards Track [Page 18]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ It is not always possible to determine whether two P-tunnels are
+ carrying packets from the same ingress VRF. However, in some cases,
+ this can be determined by examination of the A-D routes in which the
+ tunnels have been advertised.
+
+ Consider the following example:
+
+ o Tunnel T1 is a Point-to-Multipoint (P2MP) multipoint Label
+ Distribution Protocol (mLDP) or RSVP-TE P-tunnel advertised in an
+ Intra-AS I-PMSI A-D route (call it "R1").
+
+ o Tunnel T2 is a P2MP mLDP or RSVP-TE P-tunnel advertised in an
+ S-PMSI A-D route (call it "R2").
+
+ o The respective NLRIs of R1 and R2 contain the same RD value.
+
+ o The MPLS Label field of R1's PTA is zero, and the MPLS label value
+ of R2's PTA is zero.
+
+ In this example, it can be concluded that T1 and T2 are carrying
+ packets from the same ingress VRF. Thus, if T1 is the expected
+ P-tunnel for a (C-S,C-G) flow, (S,G) packets from T2 can be safely
+ delivered to the egress VRF; they do not need to be discarded.
+ Similarly, if T2 is the expected P-tunnel for a (C-S,C-G) flow, (S,G)
+ packets from T1 can be safely delivered to the egress VRF.
+
+ Another example is the following:
+
+ o Tunnel T3 is a P2MP mLDP or RSVP-TE P-tunnel advertised in a
+ (C-*,C-*) S-PMSI A-D route (call it "R3").
+
+ o Tunnel T4 is a P2MP mLDP or RSVP-TE P-tunnel advertised in a
+ (C-S,C-G) S-PMSI A-D route (call it "R4").
+
+ o The respective NLRIs of R3 and R4 contain the same RD value.
+
+ o The MPLS Label field of R3's PTA is zero, and the MPLS label value
+ of R4's PTA is zero.
+
+ In this example, it can be concluded that T3 and T4 are carrying
+ packets from the same ingress VRF. Thus, if T3 is the expected
+ P-tunnel for a (C-S,C-G) flow, (S,G) packets from T4 can be safely
+ delivered to the egress VRF; they do not need to be discarded.
+ Similarly, if T4 is the expected P-tunnel for a (C-S,C-G) flow,
+ (S,G) packets from T3 can be safely delivered to the egress VRF.
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 19]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ When Ingress Replication (IR) P-tunnels are being used, please see
+ [MVPN-IR], especially Section 7 ("The PTA's 'MPLS Label' Field") for
+ a discussion of how to determine when packets from other than the
+ expected P-tunnel must be discarded.
+
+2.3.2. Policies to Prevent Ambiguity on a P-Tunnel
+
+ For P-tunnels that are advertised in S-PMSI A-D routes whose NLRI
+ contains (C-S,C-G) or (C-S,C-*), the ambiguities described in
+ Sections 2.1 and 2.2 can be prevented by provisioning a policy that
+ assigns, to such P-tunnels, only flows from the same C-source.
+
+ However, it is not always possible to determine, through inspection
+ of the control messages, whether this policy has been deployed. For
+ instance, suppose that (1) a given VRF has imported a set of S-PMSI
+ A-D routes, (2) each route in the set has bound only a single
+ (C-S1,C-G1) to a single P-tunnel, and (3) each route in the set
+ identifies a different P-tunnel in its PTA than the P-tunnel
+ identified by the PTA of any other route in the set. One cannot
+ infer from this that there is no ambiguity, as the same P-tunnel may
+ also have been advertised in an S-PMSI A-D route that is not imported
+ by the given VRF, and that S-PMSI A-D route may have bound
+ (C-S2,C-G2) to the P-tunnel, where C-S1 != C-S2.
+
+ Therefore, in order to determine that a given P-tunnel (advertised in
+ a (C-S,C-G) or (C-S,C-*) S-PMSI A-D route) carries only C-flows from
+ a single C-source, a PE must have a priori knowledge (through
+ provisioning) that this policy has been deployed. In the remainder
+ of this document, we will refer to this policy as the "single
+ C-source per (C-S,C-G) or (C-S,C-*) P-tunnel" policy. Note that this
+ policy is only applicable to P-tunnels that are advertised only in
+ (C-S,C-G) or (C-S,C-*) S-PMSI A-D routes.
+
+ Of course, if a P-tunnel is advertised in (a) an I-PMSI A-D route,
+ (b) an S-PMSI A-D route whose NLRI contains (C-*,C-*), or (c) an
+ S-PMSI A-D route whose NLRI contains (C-*,C-G), then it is always
+ possible for the P-tunnel to contain traffic from multiple C-sources;
+ there is no policy that can prevent that.
+
+ However, if a P-tunnel advertised in a (C-*,C-G) S-PMSI A-D route
+ contains only traffic addressed to a single C-G, the address
+ uniqueness rules of Section 2 prevent the C-source addresses from
+ being ambiguous; the set of C-sources transmitting to a particular
+ extranet C-group address must be unambiguous over the set of MVPNs
+ that have receivers for that C-group. So, for P-tunnels that are
+ advertised in (C-*,C-G) S-PMSI A-D routes, the ambiguities described
+ in Sections 2.1 and 2.2 can be prevented by provisioning a policy
+
+
+
+
+Rekhter, et al. Standards Track [Page 20]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ that assigns to such P-tunnels only flows to the same extranet
+ C-group. We will refer to this policy as the "single C-group per
+ (C-*,C-G) P-tunnel" policy.
+
+ These considerations can be summarized as follows. IF the procedures
+ referenced in Section 2.3.1 cannot be applied, then the PEs MUST be
+ provisioned so that all of the following conditions hold true for the
+ VRFs that contain extranet C-sources:
+
+ o the "single C-source per (C-S,C-G) or (C-S,C-*) P-tunnel" policy
+ is provisioned,
+
+ o either no (C-*,C-G) S-PMSI A-D routes are advertised or the
+ "single C-group per (C-*,C-G) P-tunnel" policy is provisioned,
+
+ o no P-tunnels are advertised in I-PMSI A-D routes, and
+
+ o no (C-*,C-*) S-PMSI A-D routes are advertised.
+
+ Section 3 of this document describes a procedure known as "extranet
+ separation". When extranet separation is used, the ambiguity
+ described in Section 2.1 is prevented. However, the ambiguity
+ described in Section 2.2 is not prevented by extranet separation.
+ Therefore, the use of extranet separation is not a sufficient
+ condition for avoiding the use of the procedures discussed in
+ Section 2.3.1. Extranet separation is, however, implied by the
+ policies discussed in this section (Section 2.3.2).
+
+3. Extranet Transmission Models
+
+ This document specifies several "extranet transmission" models. A
+ given VRF containing extranet C-sources or C-receivers MUST use only
+ one of these models. Further, if VRF-S contains extranet C-sources,
+ VRF-R contains extranet C-receivers, and it is allowed by policy for
+ an extranet C-receiver in VRF-R to receive a C-flow from an extranet
+ C-source in VRF-S, then VRF-S and VRF-R MUST use the same extranet
+ transmission model. The model used by a given VRF is determined by
+ provisioning.
+
+3.1. Transmitting an Extranet C-Flow on a Single PMSI
+
+ In one extranet transmission model, which we call the "transmitting
+ an extranet C-flow on a single PMSI" model or, more simply, the
+ "single PMSI per C-flow" model, a PE transmitting a packet of an
+ extranet C-flow transmits it on only a single PMSI. If the PMSI is
+ instantiated by a multicast P-tunnel, this means that the PE
+ transmits the packet on a single P-tunnel. Of course, if the PE is a
+ replication point for that multicast P-tunnel, the packet is
+
+
+
+Rekhter, et al. Standards Track [Page 21]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ transmitted more than once by the PE. Similarly, if the PMSI is
+ instantiated by IR, each packet may be transmitted multiple times.
+ It is still the case, though, that the packet is transmitted only on
+ one PMSI.
+
+ This document provides procedures for supporting this transmission
+ model using either BGP or PIM as the PE-PE C-multicast control
+ protocol.
+
+ There are two variants of this transmission model: "without extranet
+ separation" and "with extranet separation".
+
+3.1.1. Without Extranet Separation
+
+ In this variant, multicast data traffic from extranet C-sources and
+ from non-extranet C-sources may be carried in the same P-tunnel.
+
+ This document provides procedures for supporting this variant using
+ either BGP or PIM as the PE-PE C-multicast control protocol.
+
+3.1.2. With Extranet Separation
+
+ In this variant, multicast data traffic from extranet C-sources and
+ from non-extranet C-sources are never carried in the same P-tunnel.
+ Under certain circumstances, this can reduce the amount of multicast
+ data traffic that is delivered unnecessarily to certain PE routers.
+ It also eliminates the ambiguity discussed in Section 2.1.
+
+ By definition, when extranet separation is used, the following rule
+ MUST be applied:
+
+ Traffic from extranet C-sources MUST NOT be carried in the same
+ P-tunnel as traffic from non-extranet C-sources.
+
+ This rule does not impact those VRFs that contain only non-extranet
+ C-sources, nor does it impact those VRFs that contain only extranet
+ C-sources. However, if a particular VRF contains both kinds of
+ C-sources, it will need to advertise some P-tunnels that are used for
+ carrying only extranet C-flows and some that are used only for
+ carrying non-extranet C-flows.
+
+ This document provides procedures for supporting extranet separation
+ when BGP is used as the PE-PE C-multicast control protocol. Support
+ for extranet separation using PIM as the PE-PE C-multicast control
+ protocol is outside the scope of this document.
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 22]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+3.2. Transmitting an Extranet C-Flow over Multiple PMSIs
+
+ The second extranet transmission model is called the "transmitting an
+ extranet C-flow over multiple PMSIs" model or, more simply, the
+ "multiple PMSIs per C-flow" model. In this model, a PE may transmit
+ the packets of an extranet C-flow on several different PMSIs.
+
+ Support for extranet separation with this model is outside the scope
+ of this document.
+
+ This document provides procedures for supporting this transmission
+ model when PIM is used as the PE-PE C-multicast control protocol.
+ Support for this transmission model when BGP is used as the PE-PE
+ C-multicast control protocol is outside the scope of this document.
+
+4. Distribution of Routes That Match C-S/C-RP Addresses
+
+4.1. UMH-Eligible Routes
+
+ As described in Section 5.1 of [RFC6513], in order for a C-flow
+ (C-S,C-G) to be carried across the SP backbone, a VRF that has
+ multicast receivers for that C-flow must import a route that matches
+ C-S, and this route must be "eligible for UMH selection". In this
+ document, we will refer to these routes as "UMH-eligible extranet
+ C-source routes".
+
+ The UMH-eligible extranet C-source routes do not necessarily have to
+ be unicast routes; they MAY be SAFI 129 routes (see Section 5.1.1 of
+ [RFC6513]). For example, suppose that one wants a VPN-R C-receiver
+ to be able to receive extranet C-flows from C-sources in VPN-S but
+ does not want any VPN-R system to be able to send unicast traffic to
+ those C-sources. One can achieve this by using SAFI 129 routes as
+ the UMH-eligible routes exported from VPN-S and imported by VPN-R.
+ Since SAFI 129 routes are used only for UMH determination and not for
+ unicast routing, this allows the multicast traffic to be forwarded
+ properly but does not create unicast routes to the C-sources.
+
+ If a customer is using PIM-SM in the ASM model and one or more
+ customer sites have C-receivers that are allowed by policy to join a
+ (C-*,C-G) tree, where C-G is an extranet C-group, then any VRF with
+ C-receivers for that group MUST import a UMH-eligible route that
+ matches C-RP, where C-RP is the Rendezvous Point (RP) address
+ for C-G.
+
+ The UMH-eligible extranet C-source and C-RP routes do not have to be
+ "host routes". That is, they can be routes whose IPv4 address
+ prefixes are not 32 bits in length or whose IPv6 address prefixes are
+ not 128 bits in length. So, it is possible for a UMH-eligible
+
+
+
+Rekhter, et al. Standards Track [Page 23]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ extranet C-source route to match the address of an extranet C-source
+ and to also match the address of a non-extranet C-source. However,
+ if such a route is exported from a VPN-S VRF and imported by a VPN-R
+ VRF, VPN-R receivers will be able to receive C-flows from any
+ non-extranet C-sources whose addresses match that route. To prevent
+ this, the VPN-S VRF SHOULD be provisioned such that it will NOT
+ export a UMH-eligible route that matches (in the context of the VPN-R
+ VRF) both extranet C-sources and non-extranet C-sources. Failure to
+ follow this rule may result in a VPN security violation. (See
+ Section 10.)
+
+ In general, one does not want ALL the routes from the VPN-S VRFs to
+ be exported to all the VPN-R VRFs, as only a subset of the routes in
+ the VPN-S VRFs will be UMH-eligible extranet C-source routes. Route
+ distribution is, as is always the case for a BGP/MPLS IP VPN
+ [RFC4364], controlled by Route Targets (RTs). A variety of route
+ distribution policies can be created by appropriately provisioning
+ the import and export RTs of the various VRFs.
+
+ For example, the VPN-S VRFs that contain extranet C-sources could be
+ configured to apply an export RT whose value is "RT-A-extranet" to
+ the routes that match the extranet C-sources. The VPN-R VRFs that
+ contain extranet C-receivers allowed to receive extranet C-flows
+ from VPN-S extranet C-sources could then be configured with
+ "RT-A-extranet" as an import RT.
+
+ Arbitrarily complex policies can be created by suitable manipulation
+ of the import and export RTs.
+
+4.1.1. Extranet Separation
+
+ If extranet separation is being used and a given VRF is exporting
+ UMH-eligible routes for both extranet C-sources and non-extranet
+ C-sources, then the VRF MUST be configured not only with its
+ default RD but also with an extranet RD. The exported UMH-eligible
+ routes MUST contain the extranet RD in their NLRIs.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 24]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+4.2. Distribution of Unicast Routes Matching C-RPs and DRs
+
+ Consider a C-source, C-S, that may transmit to a particular extranet
+ C-group, C-G.
+
+ In order to follow the procedures of [RFC7761],
+
+ o The "first-hop designated router (DR)" for C-S needs to be able to
+ unicast PIM Register messages to a C-RP that services C-G.
+
+ o The C-RPs servicing C-G need to be able to unicast PIM
+ Register-Stop messages to the DR for C-S.
+
+ It follows that if a VRF contains C-S but does not contain a C-RP for
+ C-G, then the VRF MUST import a unicast route matching a C-RP for
+ C-G. Note that the unicast route matching the C-RP is needed whether
+ or not the VRF has also imported a SAFI 129 route matching the C-RP.
+ (If the VRF also contains receivers for C-G and UMH determination is
+ being done using SAFI 129 routes, both a unicast route and a SAFI 129
+ matching C-RP route are needed.)
+
+ Similarly, if a VRF contains a C-RP for C-G but does not contain C-S,
+ the VRF MUST import a unicast route matching the DR for C-S. Note
+ that the unicast route matching the DR for C-S is needed even if UMH
+ determination is being done using SAFI 129 routes; in that case, if
+ the VRF also contains receivers for C-G, it needs to import a
+ SAFI 129 route matching C-S and a unicast route matching the DR
+ for C-S.
+
+ If, for a particular extranet C-group, C-G, the customer is using
+ "anycast-RP" [RFC3446] [RFC4610] or the Multicast Source Discovery
+ Protocol (MSDP) [RFC3618], then all the C-RPs serving C-G need to
+ send unicast messages to each other. Thus, any VRF that contains a
+ C-RP for C-G needs to import unicast routes matching ALL the other
+ C-RPs that serve C-G.
+
+ The need to distribute these unicast routes is usually not a problem
+ as long as all the C-sources and C-RPs for C-G are in the same MVPN.
+ If, however, the C-sources are not all in the same MVPN, great care
+ must be taken to ensure that the unicast routes mentioned above are
+ properly distributed.
+
+ There may be scenarios in which all the C-sources for C-G are in the
+ same MVPN, but there are receivers in different VPNs, and some or all
+ of the VPNs with receivers have their own C-RPs for C-G. In this
+ case, care must be taken to ensure that the C-RPs can all unicast to
+ each other.
+
+
+
+
+Rekhter, et al. Standards Track [Page 25]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+4.3. Route Targets and Ambiguous UMH-Eligible Routes
+
+ This section imposes a constraint on the way RTs are assigned to
+ (a) UMH-eligible routes and (b) the BGP A-D routes that advertise
+ P-tunnels (i.e., BGP A-D routes that contain a PTA). The constraint
+ specified here applies to any extranet for which the ambiguity
+ described in Section 2.2 is possible. (The conditions under which
+ such ambiguity is possible are also described in Section 2.2.)
+
+ We want to ensure that, in any given VRF, the UMH-eligible route
+ matching a given extranet C-source has an RT in common with every BGP
+ A-D route that advertises a P-tunnel that may be used to carry
+ extranet multicast traffic from that C-source. We also want to
+ ensure that the UMH-eligible route matching a given extranet C-source
+ does not have any RT in common with any BGP A-D route that advertises
+ a P-tunnel that may be used to carry any multicast traffic from a
+ different C-source that has the same IP address. This enables us to
+ determine whether traffic that appears to be from the given C-source
+ is really arriving on the wrong P-tunnel and hence is really from a
+ different C-source with the same IP address.
+
+ Suppose that an IP address C-S is used in VPN-A as the address of one
+ system and used in VPN-B as the address of a different system. In
+ this case, one or more VPN-A VRFs may export a VPN-IP route whose
+ NLRI is <RD1,S>, and one or more VPN-B VRFs may export a VPN-IP route
+ whose NLRI is <RD2,S>, where RD1 != RD2. Consider two routes -- R1
+ and R2 -- for which the following conditions all hold:
+
+ o R1 and R2 are UMH-eligible extranet C-source or C-RP routes, or
+ are unicast routes matching a C-RP.
+
+ o R1 is exported from a VRF of VPN-A, while R2 is exported from a
+ VRF of a different VPN, say VPN-B.
+
+ o R1's NLRI specifies IP address prefix S/n.
+
+ o R2's NLRI specifies IP address prefix S/m.
+
+ o m >= n (S/m is either the same as or more specific than S/n).
+
+ o There is some host address H such that:
+
+ * H denotes a different system in VPN-A than in VPN-B, and
+
+ * H/m == S/m (so either S/m or S/n might be a longest match for H
+ in some VRF).
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 26]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ We impose the following constraint: RTs MUST be assigned in such a
+ way that R1 and R2 do not have any RT in common.
+
+ (This constraint is not as onerous as it may seem. Typically, R1 and
+ R2 would not have an RT in common, as that might result in their
+ being imported into the same VRF, making the address H ambiguous in
+ that VRF.)
+
+ Sections 6 and 7 specify procedures for determining if a received
+ C-flow has been received over the expected P-tunnel. Those
+ procedures will not work if this constraint is violated. (The
+ constraint described in this section is necessary, but not
+ sufficient, for the procedures of Sections 6 and 7 to work;
+ additional constraints that cover the assignment of RTs to BGP A-D
+ routes are given in subsequent sections.)
+
+4.4. Dynamically Marking Extranet Routes
+
+4.4.1. The Extranet Source Extended Community
+
+ Sections 4.1, 4.2, and 4.3 place specific requirements on the way in
+ which certain VPN-IP routes are distributed. In order to ensure that
+ these requirements are met, a VPN customer must tell its SP which
+ routes are the matching routes for extranet C-sources and C-RPs.
+ This may be done as part of the provisioning process. Note that this
+ does not necessarily require customer/provider interaction every time
+ the customer adds a new extranet C-source or C-RP, but only when the
+ IP address of the new C-source or C-RP does not match an existing
+ route that is already being distributed as a VPN-IP extranet route.
+ Nevertheless, it seems worthwhile to support an OPTIONAL mechanism
+ that allows a customer to dynamically mark certain routes as being
+ extranet routes.
+
+ To facilitate this, we define a new Transitive Opaque Extended
+ Community (see [RFC4360], [RFC7153], and Section 9 of this document):
+ the Extranet Source Extended Community. When a Customer Edge (CE)
+ router advertises (via BGP) a route to a PE router and the AFI/SAFI
+ of the route is 1/1, 1/2, 1/4, 2/1, 2/2, or 2/4, the Extranet Source
+ Extended Community MAY be attached to the route. The value field of
+ the Extended Community MUST be set to zero. By placing this Extended
+ Community on a particular route, a CE router indicates to a PE router
+ that the procedures of Sections 4.1, 4.2, and 4.3 are to be applied
+ to that route. That is, the CE router may use this Extended
+ Community to indicate to the PE router that a particular route is to
+ be treated as a route that matches the address of an extranet source
+ and is to be exported accordingly to other VPNs. A PE router that
+ interprets this Extended Community MUST ignore the contents of the
+ value field.
+
+
+
+Rekhter, et al. Standards Track [Page 27]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ Whether a CE router uses the Extranet Source Extended Community is
+ determined by the configuration of the CE router. If used, the set
+ of routes to which the Extended Community is attached is also
+ determined by configuration of the CE. Note that a particular PE
+ router may or may not support the use of the Extranet Source Extended
+ Community by a particular CE router; this is determined by the
+ service agreement between the SP and its customer.
+
+ If a CE is advertising SAFI 2 routes to the PE as the UMH-eligible
+ extranet C-source and C-RP routes and the CE is using the Extranet
+ Source Extended Community, it is important that the CE attach that
+ Extended Community to the SAFI 2 routes, rather than just to the
+ corresponding SAFI 1 routes. Otherwise, extranet receivers may not
+ be able to join the (C-S,C-G) or (C-*,C-G) multicast trees.
+
+ However, if the C-sources and the C-RPs for a given extranet C-group
+ are not all in the same VPN, the Extended Community would also have
+ to be attached to the SAFI 1 routes that match the C-RP addresses and
+ to the SAFI 1 routes that match the addresses of the first-hop
+ designated routers for all the C-sources. Otherwise, the first-hop
+ routers might not be able to send PIM Register messages to the C-RPs,
+ and the C-RPs might not be able to send PIM Register-Stop messages to
+ the first-hop routers.
+
+ While this Extended Community allows a customer to inform the SP
+ dynamically that certain routes are "extranet routes", it does not
+ allow a customer to control the set of RTs that the route will carry
+ when it is redistributed as a VPN-IP route. Thus, it is only useful
+ when all the extranet routes from a given VRF are exported with
+ exactly the same set of RTs. (cf. Section 4.3.1 of [RFC4364], which
+ does provide a mechanism that, if properly supported by the SP,
+ allows the customer to determine the set of RTs carried by a VPN-IP
+ route.) A CE SHOULD NOT attach the Extranet Source Extended
+ Community to any route for which it uses another method of specifying
+ the RTs to be carried by that route. A CE SHOULD NOT attach the
+ Extranet Source Extended Community to a route unless all the extranet
+ routes from the CE's VPN are intended to carry the same set of RTs.
+
+ A PE SHOULD ignore the Extranet Source Extended Community if it
+ appears on a route that the CE should not have put it on. A PE that
+ ignores the Extranet Source Extended Community SHOULD NOT follow the
+ procedures of Section 4.4.2.
+
+ Note that misconfiguration on the CE router can result in the
+ Extranet Source Extended Community being mistakenly attached to a
+ route that is not intended to be exported as an extranet route. This
+ could result in a VPN security violation.
+
+
+
+
+Rekhter, et al. Standards Track [Page 28]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+4.4.2. Distribution of Extranet Source Extended Community
+
+ Suppose that a PE receives from a CE a route (call it "R") with the
+ Extranet Source Extended Community. The PE must determine (via the
+ considerations discussed in Section 4.4.1) whether it should ignore
+ that Extended Community on route R; if it should ignore the Extended
+ Community, the procedures described in this section are not followed.
+
+ Otherwise, when the PE originates a VPN-IP route corresponding to
+ route R, the PE MUST attach this Extended Community to that route.
+
+ A Route Reflector MUST NOT add or remove the Extranet Source Extended
+ Community from the VPN-IP routes reflected by the Route Reflector,
+ including the case where VPN-IP routes received via Internal BGP
+ (IBGP) are reflected to External BGP (EBGP) peers (inter-AS
+ option (c); see Section 10 of [RFC4364]). The value of the Extended
+ Community MUST NOT be changed by the Route Reflector.
+
+ When re-advertising VPN-IP routes, Autonomous System Border Routers
+ (ASBRs) MUST NOT add/remove the Extranet Source Extended Community
+ from these routes. This includes inter-AS options (b) and (c) (see
+ Section 10 of [RFC4364]). The value of the Extended Community
+ MUST NOT be changed by the ASBRs.
+
+ When a PE advertises (via BGP) IP routes to a CE, these routes
+ MUST NOT carry the Extranet Source Extended Community unless the
+ PE-CE connection is actually an inter-AS option (a) connection (see
+ Section 10 of [RFC4364]). When the PE-CE connection is not an
+ inter-AS option (a) connection, a CE that receives an IP route with
+ the Extranet Source Extended Community MUST remove it from the route
+ before re-advertising the route.
+
+ The rules for attaching the Extranet Source Extended Community to a
+ VPN-IP route, and the rules for propagating that Extended Community,
+ are needed in order to support the scenario in which a VPN contains
+ an option (a) interconnect (see Section 10 of [RFC4364]). At the
+ option (a) interconnect, the VPN-IP route gets translated back to an
+ IP route, and the RTs are stripped off before the IP route is
+ propagated. If the Extranet Source Extended Community has also been
+ stripped off, there is no way for the router at the other end of the
+ option (a) interconnect to know that the route represents an extranet
+ source. Thus, the technique of using the Extranet Source Extended
+ Community to dynamically signal that a particular route represents an
+ extranet source will not work correctly across an option (a)
+ interconnect unless the rules in this section are followed.
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 29]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+4.5. The Extranet Separation Extended Community
+
+ We define a new Transitive Opaque Extended Community: the Extranet
+ Separation Extended Community (see [RFC4360], [RFC7153], and
+ Section 9 of this document). This Extended Community is used only
+ when extranet separation is being used. Its value field MUST be set
+ to zero upon origination, MUST be ignored upon reception, and MUST be
+ passed unchanged by intermediate routers. A Route Reflector MUST NOT
+ add or remove the Extranet Separation Extended Community from the
+ routes it reflects, including the case where routes received via IBGP
+ are reflected to EBGP peers (inter-AS option (c); see Section 10 of
+ [RFC4364]).
+
+ If a VRF has been provisioned to use extranet separation and that VRF
+ has been provisioned to transmit any extranet C-flows on a P-tunnel
+ that it advertises in an I-PMSI A-D route or a (C-*,C-*) S-PMSI A-D
+ route, then any UMH-eligible routes that are exported from that VRF
+ following the procedures of Sections 4.1, 4.2, and 4.3 MUST carry the
+ Extranet Separation Extended Community. In addition, if an I-PMSI
+ A-D route and/or (C-*,C-*) S-PMSI A-D route exported from that VRF is
+ used to carry extranet traffic, that A-D route MUST also carry the
+ Extranet Separation Extended Community. Further details may be found
+ in Sections 7.3, 7.4.4, and 7.4.5.
+
+5. Origination and Distribution of BGP A-D Routes
+
+ Except where otherwise specified, this section describes procedures
+ and restrictions that are independent of the PE-PE C-multicast
+ control protocol.
+
+5.1. Route Targets of UMH-Eligible Routes and A-D Routes
+
+ Suppose that there is an extranet C-flow such that:
+
+ o The extranet C-source of that C-flow is in VRF A-1.
+
+ o One or more extranet C-receivers of that C-flow are in VRF B-1.
+
+ In this case, VRF A-1 MUST export a UMH-eligible route that matches
+ the extranet C-source address, and VRF B-1 MUST import that route.
+ In addition, VRF A-1 MUST export an Intra-AS I-PMSI A-D route or an
+ S-PMSI A-D route specifying the P-tunnel through which it will send
+ the data traffic of the given extranet C-flow, and VRF B-1 MUST
+ import that route. If BGP is the PE-PE C-multicast control protocol,
+ then under certain conditions (as specified in [RFC6514]), VRF A-1
+ may also need to export a Source Active A-D route specifying that it
+ contains a source of the given C-flow, and VRF B-1 must import that
+ Source Active A-D route. That is, in order for VRF B-1 to receive a
+
+
+
+Rekhter, et al. Standards Track [Page 30]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ C-flow from a given extranet C-source contained in VRF A-1, VRF A-1
+ MUST export a set of A-D routes that are "about" that source, and VRF
+ B-1 MUST import them.
+
+ One way to ensure this is to provision an RT that is carried by all
+ the routes exported from VRF A-1 that are "about" a given extranet
+ C-source and also provision this RT as an import RT at any VRF (such
+ as VRF B-1) that is allowed to receive extranet flows from that
+ source.
+
+ If the "single PMSI per C-flow" transmission model is being used
+ (with or without extranet separation), there is an additional
+ requirement, stated below, regarding the way RTs are provisioned, as
+ the RTs carried by a UMH-eligible route that matches a given extranet
+ C-source may need to be used to identify the A-D routes that are
+ "about" that source.
+
+ Consider the following scenario:
+
+ o IP address S is the address of one system in VPN-A and the address
+ of a different system in VPN-B.
+
+ o VRF A-1 on PE1 exports UMH-eligible route R1, which is a matching
+ route for S.
+
+ o VRF A-1 on PE1 exports an A-D route P1 whose PTA identifies a
+ P-tunnel through which VRF A-1 may send traffic whose C-source is
+ S, where one of the following conditions holds:
+
+ * P1 is an I-PMSI A-D route, OR
+
+ * P1 is an S-PMSI A-D route whose NLRI contains (C-*,C-*) or
+ (C-*,C-G), OR
+
+ * P1 is an S-PMSI A-D route whose NLRI contains (C-S,C-G) or
+ (C-S,C-*), BUT the "single C-source per (C-S,C-G) or (C-S,C-*)
+ P-tunnel" policy is not provisioned, OR
+
+ * P1 is a Source Active A-D route whose NLRI contains (C-S,C-G).
+
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 31]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ o VRF B-1 on PE1 exports a UMH-eligible route R2, which is a
+ matching route for S.
+
+ o VRF B-1 on PE1 exports an A-D route P2 whose PTA identifies a
+ P-tunnel on which VRF B-1 may send traffic whose C-source is S,
+ where one of the following conditions holds:
+
+ * P2 is an I-PMSI A-D route, OR
+
+ * P2 is an S-PMSI A-D route whose NLRI specifies (C-*,C-*) or
+ (C-*,C-G), OR
+
+ * P2 is an S-PMSI A-D whose NLRI specifies (C-S,C-G) or
+ (C-S,C-*), BUT the "single C-source per (C-S,C-G) or (C-S,C-*)
+ P-tunnel" policy is not provisioned, OR
+
+ * P2 is a Source Active A-D route whose NLRI contains (C-S,C-G).
+
+ As implied by the rules of Section 4.1, there MUST NOT be any RT that
+ is common to both R1 and R2. In addition, the following set of rules
+ for RT assignment MUST be followed when extranets are supported.
+ These rules support all the extranet transmission models described in
+ this specification:
+
+ o There MUST NOT be any RT that is carried by both P1 and P2.
+
+ o The intersection of the set of RTs carried by P1 and the set of
+ RTs carried by R1 MUST be non-null, and any VRF that imports both
+ P1 and R1 MUST be configured with an import RT from this
+ intersection.
+
+ o The intersection of the set of RTs carried by P2 and the set of
+ RTs carried by R2 MUST be non-null, and any VRF that imports both
+ P2 and R2 MUST be configured with an import RT from this
+ intersection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 32]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ Suppose that VRF C-1 on PE2 imports P1 and R1 from VRF A-1 while also
+ importing P2 from VRF B-1. Since
+
+ o R1 is VRF C-1's route to S,
+
+ o R1 has an RT in common with P1, and
+
+ o R1 has no RT in common with P2,
+
+ it can be concluded that VRF C-1 should expect that multicast traffic
+ from S will arrive on the P-tunnel specified in P1. See Sections 6
+ and 7 for more details on determining the expected P-tunnel for a
+ given extranet C-flow.
+
+ While the assignment of import and export RTs to routes is a
+ deployment and provisioning issue rather than a protocol issue, it
+ should be understood that failure to follow these rules is likely to
+ result in VPN security violations.
+
+5.2. Considerations for Particular Inclusive Tunnel Types
+
+ An Inclusive Tunnel (sometimes referred to as an "Inclusive Tree";
+ see Section 2.1.1 of [RFC6513]) is a tunnel that, by default, carries
+ all the multicast traffic of a given MVPN that enters the backbone
+ network via a particular PE. An Inclusive Tunnel is advertised in
+ the PTA of an I-PMSI A-D route.
+
+5.2.1. RSVP-TE P2MP or Ingress Replication
+
+ This section applies when Inclusive Tunnels are created using either
+ RSVP-TE P2MP or IR.
+
+ Suppose that a VRF, say VRF-S, contains a given extranet C-source
+ C-S, and VRF-S advertises in its Intra-AS I-PMSI A-D route either a
+ P2MP RSVP-TE P-tunnel or an IR P-tunnel to carry extranet traffic.
+
+ In order for VRF-S to set up the P2MP RSVP-TE or IR P-tunnel, it must
+ know all the PEs that are leaf nodes of the P-tunnel, and to learn
+ this it must import an Intra-AS I-PMSI A-D route from every VRF that
+ needs to receive data through that tunnel.
+
+ Therefore, if VRF-R contains an extranet C-receiver that is allowed
+ by policy to receive extranet flows from C-S, the RT(s) carried by
+ the Intra-AS I-PMSI A-D routes originated by VRF-R MUST be such that
+ those Intra-AS I-PMSI A-D routes will be imported into VRF-S.
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 33]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ In the case of IR, this has the following consequence: if an egress
+ PE has n VRFs with receivers for a flow that VRF-S transmits on its
+ I-PMSI, that egress PE will receive n copies of the same packet, one
+ for each of the n VRFs.
+
+ Note that Section 9.1.1 of [RFC6514] prohibits the "Leaf Information
+ Required" flag from being set in the PTA of an Intra-AS I-PMSI A-D
+ route. If this prohibition is ever removed, the requirement of this
+ section will apply only if VRF-S does not set that flag.
+
+5.2.2. Ingress Replication
+
+ This section applies only when Inclusive Tunnels are created via IR.
+
+ [RFC6513] and [RFC6514] specify procedures that allow I-PMSIs to be
+ instantiated by IR. The concept of an IR P-tunnel, and the
+ procedures for supporting IR P-tunnels, are explained more fully in
+ [MVPN-IR]. An IR P-tunnel can be thought of as a P2MP tree in which
+ a packet is transmitted from one node on the tree to another by being
+ encapsulated and sent through a unicast tunnel.
+
+ As discussed in Section 2, when I-PMSIs are used to support
+ extranets, egress PEs MUST have the ability to discard customer
+ multicast data packets that arrive on the wrong P-tunnel. When
+ I-PMSIs are instantiated by IR, this implies that the following two
+ procedures MUST be followed:
+
+ 1. One of the following three procedures MUST be followed:
+
+ a. the "Single Forwarder Selection" procedures of Section 9.1.2
+ of [RFC6513]
+
+ b. the "native PIM methods" of Section 9.1.3 of [RFC6513]
+
+ c. the unicast encapsulation used to transmit packets along the
+ IR P-tunnel is such as to enable the receiving node to
+ identify the transmitting node (note that this would not be
+ the case if, for example, the unicast tunnels were MP2P LSPs)
+
+ and
+
+ 2. If a PE assigns an MPLS label value in the PTA of an Intra-AS or
+ Inter-AS I-PMSI A-D route that it originates, that label value
+ MUST NOT appear in the PTA of any other I-PMSI or S-PMSI A-D
+ route originated by the same PE.
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 34]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ Failure to follow these procedures would make it impossible to
+ discard packets that arrive on the wrong P-tunnel and thus could lead
+ to duplication of data.
+
+ If it is desired to support extranets while also using IR to
+ instantiate the PMSIs, an alternative is to use (C-*,C-*) S-PMSIs
+ instead of I-PMSIs. (See [RFC6625], as well as Sections 7.2.2,
+ 7.3.2, and 7.4.4 of this document.) This has much the same effect in
+ the data plane, and there are no restrictions on the type of unicast
+ tunnel that can be used for instantiating S-PMSIs.
+
+ Section 6.4.5 of [RFC6513] describes a way to support VPNs using
+ I-PMSIs that are instantiated by IR, using no S-PMSIs, but using
+ "explicit tracking" to ensure that a C-flow goes only to egress PEs
+ that have receivers for it. This document does not provide
+ procedures to support extranets using that model.
+
+6. When PIM Is the PE-PE C-Multicast Control Plane
+
+ As specified in [RFC6513], when PIM is used as the PE-PE C-multicast
+ control plane for a particular MVPN, there is a "Multidirectional
+ Inclusive Provider Multicast Service Interface" (MI-PMSI) for that
+ MVPN, and all the PEs of that MVPN must be able to send and receive
+ on that MI-PMSI. Associated with each VRF of the MVPN is a PIM
+ C-instance, and the PIM C-instance treats the MI-PMSI as if it were a
+ LAN interface. That is, the "ordinary" PIM procedures run over the
+ MI-PMSI just as they would over a real LAN interface, except that the
+ data-plane and control-plane "Reverse Path Forwarding (RPF) checks"
+ need to be modified. Section 5.2 of [RFC6513] specifies the RPF
+ check modifications for non-extranet MVPN service.
+
+ For example, suppose that there are two VPNs: VPN-S and VPN-R. In
+ the absence of extranet support, all the VRFs of VPN-S are connected
+ via one MI-PMSI (call it "the VPN-S MI-PMSI"), and all the VRFs of
+ VPN-R are connected via another ("the VPN-R MI-PMSI"). If we want to
+ provide extranet service in which the extranet C-sources are attached
+ to some set of VPN-S VRFs while the extranet C-receivers are attached
+ to some set of VPN-R VRFs, then we have two choices:
+
+ 1. either the VPN-R VRFs need to join the VPN-S MI-PMSI, or
+
+ 2. the VPN-S VRFs need to join the VPN-R MI-PMSI.
+
+ The first choice is used to support the "single PMSI per C-flow"
+ transmission model. The second choice is used to support the
+ "multiple PMSIs per C-flow" transmission model.
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 35]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ Procedures for both models are described below.
+
+ To support these models, it must be possible to determine which
+ I-PMSI A-D routes are associated with the VPN-S I-PMSI and which
+ I-PMSI A-D routes are associated with the VPN-R I-PMSI. Procedures
+ are given for assigning RTs to these routes in a way that makes this
+ determination possible.
+
+ Both models allow the use of S-PMSIs to carry multicast data traffic.
+ If a VRF containing receivers can receive from multiple MI-PMSIs,
+ each S-PMSI must be uniquely associated with a particular MI-PMSI.
+ Procedures are given for assigning RTs to these routes in a way that
+ makes this determination possible.
+
+ All the procedures specified in Sections 3, 4, and 5 still apply.
+
+ Note that there are no special extranet procedures for Inter-AS
+ I-PMSI A-D routes or for Leaf A-D routes. Source Active A-D routes
+ are not used when PIM is the PE-PE C-multicast protocol.
+
+6.1. Provisioning VRFs with RTs
+
+6.1.1. Incoming and Outgoing Extranet RTs
+
+ In the absence of extranet service, suppose that each VRF of a given
+ VPN (call it "VPN-S") is configured with RT-S as its import and
+ export RT, and that each VRF of a second VPN (call it "VPN-R") is
+ configured with RT-R as its import and export RT. We will refer to
+ RT-S and RT-R as "non-extranet RTs".
+
+ Now suppose that VPN-S contains some extranet C-sources and VPN-R
+ contains some extranet C-receivers that are allowed by policy to
+ receive extranet C-flows from the VPN-S extranet C-sources.
+
+ To set up this S-to-R extranet, provisioning an additional RT (call
+ it "RT-S-to-R") whose value is, in general, distinct from RT-S and
+ RT-R is REQUIRED.
+
+ A VPN-S VRF that contains extranet C-sources allowed to transmit to
+ VPN-R MUST be configured with RT-S-to-R as an "Outgoing Extranet RT".
+
+ A VPN-R VRF that contains extranet C-receivers allowed to receive
+ packets from VPN-S MUST be configured with RT-S-to-R as an "Incoming
+ Extranet RT".
+
+ Note that the terms "Incoming" and "Outgoing" in this context refer
+ to the direction of multicast data packets relative to the VRF.
+
+
+
+
+Rekhter, et al. Standards Track [Page 36]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ The Incoming Extranet RTs and Outgoing Extranet RTs that are
+ configured for a given VRF serve as import RTs for that VRF. They
+ also serve as export RTs, but only for specific routes as specified
+ in Section 6.1.2 below.
+
+ Note that any VRF that contains both extranet C-sources and extranet
+ C-receivers MUST be configured with both Outgoing Extranet RTs and
+ Incoming Extranet RTs.
+
+ A VRF MAY be configured with more than one Incoming Extranet RT
+ and/or Outgoing Extranet RT.
+
+ If it happens to be the case that all C-sources in VPN-S are extranet
+ C-sources allowed to transmit to VPN-R, then VPN-S VRFs MAY be
+ configured such that RT-S is both a non-extranet RT and an Outgoing
+ Extranet RT, and VPN-R VRFs MAY be configured such that RT-S is an
+ Incoming Extranet RT.
+
+6.1.2. UMH-Eligible Routes and RTs
+
+ Suppose that R1 is a route exported from a VPN-S VRF and matching an
+ extranet C-source that is allowed by policy to transmit to VPN-R. In
+ that case, R1 MUST carry the Outgoing Extranet RT used for the S-to-R
+ extranet. This will cause the route to be imported into the VPN-R
+ VRFs that have extranet C-receivers that are allowed by policy to
+ receive from VPN-S.
+
+ The rules of Section 4 regarding RTs and ambiguous addresses still
+ apply.
+
+6.1.3. PIM C-Instance Reverse Path Forwarding Determination
+
+ Suppose that a PIM control message (call it "M") is received by a
+ given VRF (call it "VRF-V") from a particular P-tunnel T. In order
+ to process control message M, the PIM C-instance associated with
+ VRF-V may need to do an "RPF determination" (see Section 5.2.2 of
+ [RFC6513]) for a particular IP prefix S. RPF determination is based
+ upon the rules for UMH selection as specified in Section 5.1 of
+ [RFC6513].
+
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 37]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ This document specifies an additional constraint on the UMH selection
+ procedure. When doing RPF determination for a PIM control message
+ received over a P-tunnel, a route matching prefix S is not considered
+ to be eligible for UMH selection unless there is an RT (call it
+ "RT1"), configured as one of VRF-V's Outgoing Extranet RTs, such that
+ the following two conditions both hold:
+
+ 1. The route matching S is exported from VRF-V carrying RT1, and
+
+ 2. An I-PMSI A-D route advertising P-tunnel T (in its PTA) has been
+ imported into VRF-V, and that I-PMSI A-D route carries RT1.
+
+6.2. "Single PMSI per C-Flow" Model
+
+ In this model, if a VPN-S VRF has extranet multicast C-sources and a
+ VPN-R VRF has extranet multicast C-receivers allowed by policy to
+ receive from the C-sources in the VPN-S VRF, then the VPN-R VRF joins
+ the MI-PMSI that VPN-S uses for its non-extranet traffic.
+
+6.2.1. Forming the MI-PMSIs
+
+ Consider a VPN-S VRF that has extranet C-sources. Per [RFC6513],
+ each VPN-S VRF must originate an Intra-AS I-PMSI A-D route containing
+ a PTA specifying the P-tunnel to be used as part of the VPN-S
+ MI-PMSI. In the absence of extranet service, this route carries the
+ VRF's non-extranet RT, RT-S. When extranet service is provided
+ (using the "single PMSI per C-flow" model), this route MUST also
+ carry each of the VRF's Outgoing Extranet RTs.
+
+ Consider a VPN-R VRF that has extranet C-receivers. Per [RFC6513],
+ each VPN-R VRF must originate an Intra-AS I-PMSI A-D route containing
+ a PTA specifying the P-tunnel to be used as part of the VPN-R
+ MI-PMSI. This route carries the VRF's non-extranet RT, RT-R. When
+ extranet service is provided (using the "single PMSI per C-flow"
+ model), the VPN-R VRF MUST also originate one or more additional
+ Intra-AS I-PMSI A-D routes. It MUST originate one additional
+ Intra-AS I-PMSI A-D route for each Incoming Extranet RT with which it
+ has been configured; each such route will carry exactly one of the
+ configured Incoming Extranet RTs.
+
+ Note that when a VRF originates more than one Intra-AS I-PMSI A-D
+ route, each of them MUST contain a different RD in its NLRI. In
+ addition, we add the requirement that any pair of such routes
+ MUST NOT contain an RT in common.
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 38]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ A VRF with extranet C-sources MUST join the P-tunnels advertised in
+ the imported I-PMSI A-D routes that carry its non-extranet RT or any
+ of its Outgoing Extranet RTs. This set of P-tunnels will be treated
+ as instantiating a single MI-PMSI; the associated PIM C-instance will
+ treat that MI-PMSI as a single LAN and will run PIM procedures on
+ that LAN, as specified in [RFC6513]. The fact that the MI-PMSI
+ attaches to VRFs of different VPNs is not known to the PIM C-instance
+ of the VRF containing the sources.
+
+ A VRF with extranet C-receivers MUST join the P-tunnels advertised in
+ all the imported I-PMSI A-D routes. The set of P-tunnels advertised
+ in the I-PMSI A-D routes that carry a particular Incoming Extranet RT
+ are treated as instantiating a particular MI-PMSI. So, a VRF with
+ C-receivers will "see" several MI-PMSIs, one corresponding to the
+ non-extranet, and as many as one for each configured Incoming
+ Extranet RT. The PIM C-instance associated with the VRF will treat
+ each of these MI-PMSIs as a separate LAN interface.
+
+ As an example, suppose that:
+
+ o All VPN-R VRFs are configured with RT-R as a non-extranet import
+ and export RT, and
+
+ o VPN-R VRFs with extranet receivers are configured with RT-S-to-R
+ as an Incoming Extranet RT, and
+
+ o VPN-S VRFs with extranet transmitters are configured with:
+
+ * RT-S as a non-extranet import and export RT
+
+ * a list of IP addresses that are the addresses of the extranet
+ sources
+
+ * RT-S-to-R as an Outgoing Extranet RT
+
+ VPN-S VRFs will then export UMH-eligible routes matching extranet
+ C-sources, and these routes will carry both RT-S and RT-S-to-R. Each
+ VPN-S VRF will also export an Intra-AS I-PMSI A-D route that carries
+ both RT-S and RT-S-to-R.
+
+ VPN-R VRFs will originate and export two Intra-AS I-PMSI A-D routes:
+ one carrying RT-R and one carrying RT-S-to-R. The Intra-AS I-PMSI
+ A-D route with RT-S-to-R will be imported into the VPN-S VRFs.
+
+ VPN-R will regard all the I-PMSI A-D routes it has exported or
+ imported with RT-S-to-R as part of a single MI-PMSI. VPN-R will
+ regard all the I-PMSI A-D routes it has exported or imported with
+ RT-R as part of a second MI-PMSI. The PIM C-instance associated with
+
+
+
+Rekhter, et al. Standards Track [Page 39]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ a VPN-R VRF will treat the two MI-PMSIs as two separate LAN
+ interfaces. However, the VPN-S VRFs will regard all the I-PMSI A-D
+ routes imported with RT-S or RT-S-to-R as establishing only a single
+ MI-PMSI. One can think of this as follows: the VPN-R VRFs have
+ joined the VPN-S MI-PMSI as well as the VPN-R MI-PMSI.
+
+ Extranets consisting of more than two VPNs are easily supported as
+ follows. Suppose that there are three VPNs: VPN-A, VPN-B, and VPN-C.
+ VPN-A and VPN-B have extranet C-sources, and VPN-C contains receivers
+ for both VPN-A extranet C-sources and VPN-B extranet C-sources. In
+ this case, the VPN-C VRFs that have receivers for both VPN-A and
+ VPN-B sources may be provisioned as follows. These VPN-C VRFs may be
+ provisioned with RT-C as a non-extranet RT, and with RT-A-to-C and
+ RT-B-to-C as Incoming Extranet RTs. In this case, the VPN-C VRFs
+ that are so provisioned will originate three Intra-AS I-PMSI A-D
+ routes (each with a different RD in its NLRI), each of which carries
+ exactly one of the three RTs just mentioned. The VPN-B VRFs with
+ extranet C-sources will be provisioned with RT-B-to-C as an Outgoing
+ Extranet RT, and the VPN-A VRFs will be provisioned with RT-A-to-C as
+ an Outgoing Extranet RT. The result will be that the PIM C-instance
+ associated with a VPN-C VRF will see three LAN interfaces: one for
+ the non-extranet and one for each of the two extranets. This
+ generalizes easily to the case where there are VPN-C receivers in
+ n different extranets (i.e., receiving extranet flows whose sources
+ are in n different VPNs).
+
+ Suppose again that there are three VPNs -- VPN-A, VPN-B, and VPN-C --
+ but in this example VPN-A is the only one with extranet sources while
+ VPN-B and VPN-C both have receivers for the VPN-A extranet sources.
+ This can be provisioned as either one extranet or two extranets.
+
+ To provision it as one extranet, the VPN-A VRFs are configured with
+ one Outgoing Extranet RT (call it "RT-A-extranet"). The VPN-B and
+ VPN-C VRFs with extranet receivers will be provisioned with
+ RT-A-extranet as the Incoming Extranet RT. Thus, the VPN-B and VPN-C
+ VRFs will each originate two Intra-AS I-PMSI A-D routes: one for the
+ non-extranet and one for the extranet. From a given VRF, the
+ Intra-AS I-PMSI A-D route for the extranet will carry RT-A-extranet
+ but will not share any RT with the non-extranet A-D routes exported
+ from the same VRF.
+
+ The result is that the VPN-B and VPN-C VRFs each belong to two
+ MI-PMSIs: one for the extranet and one for the intranet. The MI-PMSI
+ for the extranet attaches VPN-A VRFs, VPN-B VRFs, and VPN-C VRFs.
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 40]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ Alternatively, one could provision the VPN-A VRFs so that some
+ UMH-eligible extranet source routes carry an RT that we will call
+ "RT-A-to-B" and some carry an RT that we will call "RT-A-to-C". The
+ VPN-A VRFs would be configured with both of these as Outgoing
+ Extranet RTs. To allow an extranet flow from a VPN-A source to have
+ both VPN-B and VPN-C receivers, the UMH-eligible route for that
+ source would carry both RTs. VPN-B VRFs (but not VPN-C VRFs) would
+ be provisioned with RT-A-to-B as an Incoming Extranet RT. VPN-C VRFs
+ (but not VPN-B VRFs) would be provisioned with RT-A-to-C as an
+ Incoming Extranet RT.
+
+ Following the rules above, if any VPN-A extranet source is to have
+ both VPN-B and VPN-C receivers, the VPN-B and VPN-C VRFs will each
+ originate two I-PMSI A-D routes: one for the extranet and one for the
+ non-extranet. The single Intra-AS I-PMSI A-D route originated by the
+ VPN-A VRFs will have both RT-A-to-B and RT-A-to-C among its RTs (as
+ well as VPN-A's non-extranet RT). The extranet I-PMSI A-D route
+ originated from a VPN-B VRF would have RT-A-to-B, and the extranet
+ I-PMSI A-D route originated from a VPN-C VRF would have RT-A-to-C.
+
+ If a given VRF contains both extranet C-receivers and extranet
+ C-sources, the procedures described above still work, as the VRF will
+ be configured with both Incoming Extranet RTs and Outgoing Extranet
+ RTs; the VRF functions as both a VPN-S VRF and a VPN-R VRF.
+
+6.2.2. S-PMSIs
+
+ When PIM is used as the PE-PE C-multicast control plane, every S-PMSI
+ is considered to be part of the "emulated LAN" that "corresponds" to
+ a particular MI-PMSI.
+
+ When the bindings of C-flows to particular S-PMSIs are announced via
+ S-PMSI Join messages (Section 7 of [RFC6513]) sent on the MI-PMSI,
+ the S-PMSI is considered to be part of the same LAN interface as the
+ corresponding MI-PMSI.
+
+ When the bindings of C-flows to particular S-PMSIs are announced via
+ S-PMSI A-D routes, any S-PMSI A-D route exported from that VRF MUST
+ have an RT in common with exactly one of the Intra-AS A-D routes
+ exported from that VRF, and this MUST be one of the VRF's Outgoing
+ Extranet RTs. Further, the S-PMSI A-D route MUST NOT have an RT in
+ common with any other Intra-AS A-D route exported from a VRF on the
+ same PE. A given S-PMSI A-D route will be considered to "correspond"
+ to the MI-PMSI of the Intra-AS I-PMSI A-D route (originated from the
+ same PE) with which it shares an RT.
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 41]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ The MI-PMSI that corresponds to a given S-PMSI is determined as
+ follows:
+
+ o If (1) there is an Intra-AS I-PMSI A-D route originated by the
+ same PE that originated the S-PMSI A-D route, (2) those two routes
+ have an RT in common, and (3) that RT is one of the VRF's Incoming
+ Extranet RTs, then the S-PMSI corresponds to the I-PMSI associated
+ with that Intra-AS I-PMSI A-D route.
+
+ o Otherwise, if (1) there is an Inter-AS I-PMSI A-D route originated
+ in the same AS as the S-PMSI A-D route, (2) those two routes have
+ an RT in common, and (3) that RT is one of the VRF's Incoming
+ Extranet RTs, then the S-PMSI corresponds to the I-PMSI associated
+ with that Inter-AS I-PMSI A-D route.
+
+ o Otherwise, there must be a configuration error (a violation of the
+ requirements of Sections 3, 4, and 5 of this document).
+
+ When wildcard S-PMSIs are used, the rules given in [RFC6625] for
+ determining whether a given S-PMSI A-D route is a "match for
+ reception" to a given (C-S,C-G) or (C-*,C-G) are modified as follows:
+
+ A given S-PMSI A-D route MUST NOT be considered to be a "match for
+ reception" for a given (C-S,C-G) or (C-*,C-G) state UNLESS that
+ S-PMSI A-D route "corresponds" (as defined above) to the MI-PMSI
+ that is the incoming interface for the given state.
+
+ The rules given in [RFC6625] for determining whether a given S-PMSI
+ A-D route is a "match for transmission" are unchanged.
+
+6.2.3. Sending PIM Control Packets
+
+ Suppose that a PE, say PE1, receives a PIM Join(S,G) from a CE, over
+ a VRF interface that is associated with a VPN-R VRF. The PE does the
+ RPF check for S by looking up S in the VPN-R VRF. The PIM C-instance
+ associated with that VRF must determine the correct P-tunnel over
+ which to send a PIM Join(S,G) to other PEs.
+
+ To do this, PE1 finds, in the VRF associated with the interface over
+ which the Join was received, the selected UMH route for S, following
+ the procedures of Section 5.1 of [RFC6513]. PE1 determines the set
+ of RTs carried by that route. PE1 then checks to see if there is an
+ Intra-AS I-PMSI A-D route, currently originated by PE1, that has an
+ RT in common with the selected UMH route for S.
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 42]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ If the rules of Sections 3, 4, and 5 have been followed, each of
+ PE1's selected UMH routes will share an RT with a single one of PE1's
+ currently originated Intra-AS I-PMSI A-D routes. If this is so, the
+ Join is sent on the P-tunnel advertised in the PTA of that route.
+ Otherwise, the Join MUST NOT be sent.
+
+ In essence, this procedure makes the RPF check for C-S resolve to the
+ MI-PMSI that is serving as the next-hop "interface" to C-S.
+
+ If a PE receives a PIM Join(*,G) from a CE, the procedure for doing
+ the RPF check is the same, except that the selected UMH route will be
+ a route to the C-RP associated with the C-G group.
+
+6.2.4. Receiving PIM Control Packets
+
+ When a PIM C-instance receives a PIM control message from a P-tunnel,
+ it needs to identify the message's incoming interface. This incoming
+ interface is the MI-PMSI of which the P-tunnel is a part.
+
+6.2.5. Sending and Receiving Data Packets
+
+ The rules for choosing the PMSI on which to send a multicast data
+ packet are as specified in [RFC6513] and [RFC6625], with one new
+ restriction: a VPN-S VRF always transmits a multicast data packet
+ either on the VPN-S MI-PMSI or on an S-PMSI that corresponds to the
+ VPN-S MI-PMSI. From the perspective of the PIM C-instance, there is
+ only one outgoing interface.
+
+ When a PIM C-instance receives a multicast data packet from a given
+ P-tunnel and that P-tunnel is being used to instantiate an MI-PMSI,
+ the MI-PMSI of which the P-tunnel is a part (see Sections 6.2.1 and
+ 6.2.2) is considered to be the packet's incoming interface. If the
+ packet is received on a P-tunnel that was advertised in an S-PMSI A-D
+ route, the packet's incoming interface is the MI-PMSI to which that
+ S-PMSI route corresponds, as defined in Section 6.2.2. Ordinary PIM
+ rules for data-plane RPF checks apply.
+
+ Following ordinary PIM procedures, packets arriving from an
+ unexpected incoming interface are discarded. This eliminates any
+ problems due to the ambiguities described in Sections 2.1 and 2.2.
+
+6.3. "Multiple PMSIs per C-Flow" Model
+
+ In this model, if a VPN-S VRF has extranet multicast C-sources and a
+ VPN-R VRF has extranet multicast C-receivers allowed by policy to
+ receive from the C-sources in the VPN-S VRF, then the VPN-S VRF joins
+ the MI-PMSI that VPN-R uses for its non-extranet traffic.
+
+
+
+
+Rekhter, et al. Standards Track [Page 43]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ In the "single PMSI per C-flow" transmission model (as described in
+ Section 6.2), a PE that needs to transmit a multicast data packet to
+ a set of other PEs transmits the packet on a single PMSI. This means
+ that if a packet needs to be transmitted from a VPN-A VRF and
+ received at a VPN-B VRF and a VPN-C VRF, there must be some P-tunnel
+ from which the VPN-B and VPN-C VRFs can both receive packets.
+
+ In the "multiple PMSIs per C-flow" transmission model, a PE that
+ needs to transmit a multicast data packet to a set of other PEs may
+ transmit the packet on several different PMSIs. (Of course, any
+ given packet is transmitted only once on a given P-tunnel.) For
+ example, if a C-flow (C-S,C-G) has a VPN-A C-source, a VPN-B
+ receiver, and a VPN-C receiver, there could be one PMSI that the
+ VPN-A VRF uses to transmit the packet to the VPN-B VRFs and
+ another PMSI that the VPN-A VRF uses to transmit the packet to the
+ VPN-C VRFs.
+
+6.3.1. Forming the MI-PMSIs
+
+ Consider a VPN-R VRF that has extranet C-receivers. Per [RFC6513],
+ each VPN-R VRF must originate an Intra-AS I-PMSI A-D route containing
+ a PTA specifying the P-tunnel to be used as part of the VPN-R
+ MI-PMSI. In the absence of extranet service, this route carries the
+ VRF's non-extranet RT, RT-R. When extranet service is provided
+ (using the "single PMSI per C-flow" model), this route MUST also
+ carry each of the VRF's Incoming Extranet RTs.
+
+ Consider a VPN-S VRF that has extranet C-sources. Per [RFC6513],
+ each VPN-S VRF must originate an Intra-AS I-PMSI A-D route containing
+ a PTA specifying the P-tunnel to be used as part of the VPN-S
+ MI-PMSI. This route carries the VRF's non-extranet RT, RT-S. When
+ extranet service is provided using the "multiple PMSIs per C-flow"
+ model, the VPN-S VRF MUST also originate one or more additional
+ Intra-AS I-PMSI A-D routes. It MUST originate one additional
+ Intra-AS I-PMSI A-D route for each Outgoing Extranet RT with which it
+ has been configured; each such route will have a distinct RD and will
+ carry exactly one of the configured Outgoing Extranet RTs.
+
+ As with the "single PMSI per C-flow" transmission model, VRFs
+ containing extranet C-receivers need to import UMH-eligible extranet
+ C-source routes from VRFs containing C-sources. This is ensured by
+ the rules of Sections 3, 4, and 5.
+
+ However, in the "multiple PMSIs per C-flow" model, a VRF containing
+ only C-receivers originates only a single Intra-AS I-PMSI A-D route
+ carrying the non-extranet RT and all the Incoming Extranet RTs.
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 44]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ When a VRF containing C-receivers imports Intra-AS I-PMSI A-D routes
+ that carry the non-extranet RT or one of the Incoming Extranet RTs,
+ the P-tunnels specified in the PTA of all such routes are considered
+ to be part of the same MI-PMSI. That is, the associated PIM
+ C-instance will treat them as part of a single interface.
+
+ In this model, it is the VRF containing extranet C-sources that MUST
+ originate multiple Intra-AS I-PMSI A-D routes. Each such route MUST
+ have a distinct RD, and the set of RTs carried by any one of these
+ routes MUST be disjoint from the set carried by any other. There
+ MUST be one such route for each of the VRF's Outgoing Extranet RTs,
+ and each such route MUST carry exactly one of the VRF's Outgoing
+ Extranet RTs. The VRFs containing extranet C-sources MUST also
+ import all the A-D routes originated by the VRFs containing extranet
+ C-receivers. If a set of originated and/or imported Intra-AS I-PMSI
+ A-D routes have an RT in common and that RT is one of the VRF's
+ Outgoing Export RTs, then those routes are considered to be "about"
+ the same MI-PMSI. The PIM C-instance of the VRF treats each MI-PMSI
+ as a LAN interface.
+
+ In effect, if VPN-S has only extranet C-sources and VPN-R has only
+ extranet C-receivers, this model has the VPN-S VRFs join the VPN-R
+ MI-PMSI. The VPN-S VRFs will thus be attached to multiple MI-PMSIs,
+ while the VPN-R VRFs are attached to only one. The fact that the
+ VPN-R MI-PMSI is attached to VPN-S VRFs is not known to the PIM
+ C-instance at the VPN-R VRFs.
+
+ If a VPN-A VRF has extranet C-sources allowed to send to C-receivers
+ in a VPN-B VRF and the VPN-B VRF has C-sources allowed to send to
+ C-receivers in the VPN-A VRF, the above procedures still work as
+ specified.
+
+ Following normal PIM procedures, when the PIM C-instance at a VRF
+ with extranet C-sources receives a Join(C-S,C-G) or a Join(C-*,C-G)
+ over an MI-PMSI, it may create (C-S,C-G) or (C-*,C-G) state, and the
+ MI-PMSI over which the Join was received may be added to the set of
+ outgoing interfaces for that multicast state. If n MI-PMSIs are
+ added to the outgoing interface list for a particular multicast
+ state, a multicast data packet may need to be replicated n times and
+ transmitted once on each of the n MI-PMSIs.
+
+ Since all of the multicast data packets received from another PE are
+ received over a single emulated LAN, it is not necessary to have any
+ special procedures to determine a packet's incoming interface. The
+ ambiguities described in Sections 2.1 and 2.2 do not occur, because a
+ VPN-R VRF can only receive multicast data traffic that has been
+ requested by a VPN-R VRF.
+
+
+
+
+Rekhter, et al. Standards Track [Page 45]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+7. When BGP Is the PE-PE C-Multicast Control Plane
+
+ This document assumes that if BGP is used as the PE-PE C-multicast
+ control plane, the "single PMSI per C-flow" model is used.
+ Procedures for providing the "multiple PMSIs per C-flow" model with
+ BGP C-multicast are outside the scope of this document.
+
+ When BGP is used as the C-multicast control plane, the "single PMSI
+ per C-flow" model may be used either with or without extranet
+ separation. (Recall that "extranet separation" means that no
+ P-tunnel can carry traffic from both extranet sources and
+ non-extranet sources.) In either case, the data traffic may be
+ carried on Inclusive Tunnels only, Selective Tunnels only (known as
+ the "S-PMSI only" model), or a combination of Inclusive Tunnels and
+ Selective Tunnels. This is determined by provisioning. The
+ procedures specified below support all three choices.
+
+ Note that there are no special extranet procedures for Inter-AS
+ I-PMSI A-D routes or for Leaf A-D routes.
+
+7.1. Originating C-Multicast Routes
+
+ This section applies whether extranet separation is used or not.
+
+ When it is necessary to originate a C-multicast Source Tree Join for
+ (C-S,C-G), a PE must follow the procedures of Section 11.1.3
+ ("Constructing the Rest of the C-Multicast Route") of [RFC6514] to
+ find the selected UMH route for C-S. When it is necessary to
+ originate a C-multicast Shared Tree Join for (C-*,C-G), where C-G is
+ an ASM group, a PE must follow the procedures of that section to find
+ the selected UMH route for C-G's C-RP.
+
+ Section 11.1.3 of [RFC6514] specifies how information from the
+ selected UMH route is used to find an Intra-AS I-PMSI A-D route or an
+ Inter-AS I-PMSI A-D route. Information from that I-PMSI A-D route is
+ then used to construct part of the C-multicast route.
+
+ For extranets, the rules given in Section 7.4.5 of this document are
+ used to find the Inter-AS I-PMSI A-D route or an Intra-AS I-PMSI A-D
+ route that "corresponds" to the selected UMH route; the rules in
+ Section 7.4.5 replace the rules given in Section 11.1.3 of [RFC6514]
+ for finding the Inter-AS or Intra-AS I-PMSI A-D route.
+
+ Information from this I-PMSI A-D route is then used, as specified in
+ Section 11.1.3 of [RFC6514], to construct the C-multicast route.
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 46]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+7.2. Originating A-D Routes without Extranet Separation
+
+7.2.1. Intra-AS I-PMSI A-D Routes
+
+ Consider a VRF (call it "VRF-S") that contains extranet C-sources and
+ exports UMH-eligible routes matching those C-sources. The VRF may
+ also originate and export an Intra-AS I-PMSI A-D route.
+
+ As specified in [RFC6514], if exactly one Intra-AS I-PMSI A-D route
+ is originated by and exported from VRF-S, the RTs carried by that
+ route MUST be chosen such that every VRF that imports a UMH-eligible
+ route from VRF-S also imports this Intra-AS I-PMSI A-D route.
+
+ If inclusive P-tunnels are being used to carry extranet C-flows,
+ there are additional requirements on the way the RTs carried by the
+ Intra-AS I-PMSI A-D routes must be chosen, as specified in the
+ following paragraph.
+
+ If VRF-S is using inclusive P-tunnels but is not using extranet
+ separation, there is one inclusive P-tunnel rooted at VRF-S, and this
+ tunnel carries both extranet and non-extranet C-flows. This
+ Inclusive Tunnel is identified in the PTA of the Intra-AS I-PMSI A-D
+ route originated from VRF-S. The set of RTs carried by this Intra-AS
+ I-PMSI A-D route MUST be chosen so as to ensure that every VRF that
+ imports a UMH-eligible route from this VRF-S also imports this
+ Intra-AS I-PMSI A-D route. Further, the set of RTs carried by this
+ Intra-AS I-PMSI A-D route MUST be chosen such that it has at least
+ one RT in common with every UMH-eligible route that is exported from
+ the VRF.
+
+7.2.2. S-PMSI A-D Routes
+
+ Let R-SP be an S-PMSI A-D route that is exported from VRF-S. Suppose
+ that R-SP is used to bind some or all of the extranet C-flows from a
+ given extranet C-source to a given selective P-tunnel. Let R-UMH be
+ a UMH-eligible route that is exported from VRF-S and matches the
+ given extranet C-source. In that case, R-SP and R-UMH MUST have at
+ least one RT in common. Further, the RTs carried by these two routes
+ MUST be such that every VRF that imports R-UMH also imports R-SP.
+ These rules apply whether or not R-SP uses wildcards [RFC6625].
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 47]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ An implementation MUST allow the set of RTs carried by the S-PMSI A-D
+ routes to be specified by configuration. In the absence of such
+ configuration, an S-PMSI A-D route originated by a given VRF, say
+ VRF-X, MUST carry a default set of RTs, as specified by the following
+ rules:
+
+ 1. By default, an S-PMSI A-D route originated by VRF-X for a given
+ (C-S,C-G) or (C-S,C-*) carries the same RT(s) as the UMH-eligible
+ route originated by VRF-X that matches C-S.
+
+ 2. By default, an S-PMSI A-D route originated by VRF-X for a given
+ (C-*,C-G) carries as its RTs a set union of all RT(s) of the
+ UMH-eligible route(s) matching the multicast C-sources contained
+ in VRF-X that could originate traffic for that C-G. Moreover, if
+ the VRF contains (as defined in Section 1.1) the C-RP of C-G,
+ then this set union also includes the RT(s) of the UMH-eligible
+ route matching C-RP and the RT(s) of the unicast VPN-IP route
+ matching C-RP.
+
+ 3. By default, if a (C-*,C-*) S-PMSI A-D route originated by VRF-X
+ is to be used for both extranet and non-extranet traffic, it
+ carries the same RTs that would be carried (as specified in
+ Section 7.2.1) by an I-PMSI A-D route originated by VRF-X if that
+ I-PMSI A-D route were advertising an inclusive P-tunnel for
+ carrying both extranet and non-extranet traffic. In general, a
+ given VRF would not originate both (a) an S-PMSI A-D route
+ advertising a (C-*,C-*) selective P-tunnel for both extranet and
+ non-extranet traffic and (b) an I-PMSI A-D route advertising an
+ inclusive P-tunnel for both extranet and non-extranet traffic, as
+ the inclusive P-tunnel would not get used in that case.
+
+7.2.3. Source Active A-D Routes
+
+7.2.3.1. When Inter-Site Shared Trees Are Used
+
+ This section applies when inter-site shared trees are used, as
+ specified in Section 13 of [RFC6514].
+
+ If VRF-S exports a Source Active A-D route that contains C-S in the
+ Multicast Source field of its NLRI and VRF-S also exports a
+ UMH-eligible route matching C-S, the Source Active A-D route MUST
+ carry at least one RT in common with the UMH-eligible route. The RT
+ MUST be chosen such that the following condition holds: if a VRF, say
+ VRF-R, contains an extranet C-receiver allowed by policy to receive
+ extranet traffic from C-S, then VRF-R imports both the UMH-eligible
+ route and the Source Active A-D route.
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 48]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ By default, a Source Active A-D route for a given (C-S,C-G), exported
+ by a given VRF, carries the same set of RTs as the UMH-eligible route
+ matching C-S that is exported from that VRF.
+
+7.2.3.2. When Inter-Site Shared Trees Are Not Used
+
+ This section applies when inter-site shared trees are not used, as
+ specified in Section 14 of [RFC6514].
+
+ Suppose that a VRF, say VRF-X, contains the C-RP for a given extranet
+ C-group, say C-G. If C-S is an active source for C-G, then,
+ following the procedures of Section 14.1 of [RFC6514], VRF-X may
+ export a Source Active A-D route that contains C-S in the Multicast
+ Source field of its NLRI. With the following text, this document
+ replaces the rule specified in Section 14.1 of [RFC6514] for
+ constructing the RT(s) carried by such a route: VRF-X MUST be
+ configured such that the Source Active A-D route for (C-S,C-G)
+ carries the same set of RTs as the UMH-eligible route matching C-S
+ that is exported from the VRF(s) containing C-S. This way, if a VRF,
+ say VRF-R, contains an extranet C-receiver allowed by policy to
+ receive extranet traffic from C-S, then VRF-R imports both the
+ UMH-eligible route and the Source Active A-D route.
+
+7.3. Originating A-D Routes with Extranet Separation
+
+ If a VRF contains both extranet C-sources and non-extranet C-sources,
+ it MUST be configured with both a default RD and an extranet RD (see
+ Section 1.3). The use of these RDs is explained in the following
+ subsections.
+
+7.3.1. Intra-AS I-PMSI A-D Routes
+
+ This section applies when VRF-S is using extranet separation AND when
+ VRF-S is using an inclusive P-tunnel to carry some or all of the
+ extranet C-flows that it needs to transmit to other VRFs.
+
+ If VRF-S contains both extranet C-sources and non-extranet C-sources,
+ and inclusive P-tunnels are used to carry both extranet C-flows and
+ non-extranet C-flows, then there MUST be two Inclusive Tunnels from
+ VRF-S, one of which is to be used only to carry extranet C-flows (the
+ "extranet inclusive P-tunnel") and one of which is to be used only to
+ carry non-extranet C-flows (the "non-extranet inclusive P-tunnel").
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 49]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ In this case, the VRF MUST originate two Intra-AS I-PMSI A-D routes.
+ Their respective NLRIs MUST of course have different RDs. One of the
+ Intra-AS I-PMSI A-D routes identifies the extranet inclusive P-tunnel
+ in its PTA. This route MUST have the VRF's extranet RD in its NLRI.
+ The other route identifies the non-extranet inclusive P-tunnel in its
+ PTA. This route MUST have the VRF's default RD in its PTA.
+
+ If VRF-S uses an inclusive P-tunnel for carrying extranet traffic but
+ does not use an inclusive P-tunnel for carrying non-extranet traffic,
+ then of course only a single Intra-AS I-PMSI A-D route need be
+ originated. The PTA of this route identifies the "extranet inclusive
+ P-tunnel". The NLRI of that route MUST contain the VRF's
+ extranet RD.
+
+ An Intra-AS I-PMSI A-D route whose PTA identifies an extranet
+ inclusive P-tunnel MUST carry the Extranet Separation Extended
+ Community defined in Section 4.5.
+
+ The RTs carried by an Intra-AS I-PMSI A-D route whose PTA identifies
+ the "extranet inclusive P-tunnel" MUST be chosen such that the
+ following condition holds: if a VRF (call it "VRF-R") imports a
+ UMH-eligible route from VRF-S and that route matches an extranet
+ C-source, then VRF-R also imports that Intra-AS I-PMSI A-D route.
+
+ Note that when extranet separation is used, it is possible to use an
+ inclusive P-tunnel for non-extranet traffic while using only
+ selective P-tunnels for extranet traffic. It is also possible to use
+ an inclusive P-tunnel for extranet traffic while using only selective
+ P-tunnels for non-extranet traffic.
+
+7.3.2. S-PMSI A-D Routes
+
+ Let R-SP be an S-PMSI A-D route that is exported from VRF-S. Suppose
+ that R-SP is used to bind some or all of the extranet C-flows from a
+ given extranet C-source to a given selective P-tunnel. Let R-UMH be
+ a UMH-eligible route that is exported from VRF-S and matches the
+ given extranet C-source. In that case, R-SP and R-UMH MUST have at
+ least one RT in common. Further, the RTs carried by these two routes
+ MUST be such that every VRF that imports R-UMH also imports R-SP.
+ These rules apply whether or not R-SP uses wildcards [RFC6625].
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 50]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ The following rules, specific to the use of extranet separation,
+ apply:
+
+ o A selective P-tunnel MUST NOT carry C-flows from both extranet and
+ non-extranet C-sources.
+
+ o If it is desired to use a (C-*,C-*) S-PMSI to carry extranet
+ traffic and also use a (C-*,C-*) S-PMSI to carry non-extranet
+ traffic, then two (C-*,C-*) S-PMSI A-D routes MUST be originated.
+ These two routes MUST have different RDs in their respective NLRI
+ fields, and their respective PTAs MUST identify different
+ P-tunnels. If the route advertises a P-tunnel that carries only
+ non-extranet traffic, the route's NLRI MUST contain the VRF's
+ default RD. If the route advertises a P-tunnel that carries only
+ extranet traffic, the route's NLRI MUST contain the VRF's
+ extranet RD.
+
+ o In the following cases, an S-PMSI A-D route exported from the VRF
+ MUST have the VRF's extranet RD in its NLRI:
+
+ * The S-PMSI A-D route is a (C-S,C-G) or a (C-S,C-*) S-PMSI A-D
+ route, and C-S is an extranet C-source.
+
+ * The S-PMSI A-D route is a (C-*,C-G) S-PMSI A-D route, and C-G
+ is an extranet C-group.
+
+ In all other cases, a (C-S,C-G), (C-S,C-*), or (C-*,C-G) S-PMSI
+ A-D route MUST have the VRF's default RD in its NLRI.
+
+ o A (C-*,C-*) S-PMSI A-D route advertising a P-tunnel that is used
+ to carry extranet traffic MUST carry the Extranet Separation
+ Extended Community defined in Section 4.5.
+
+ An implementation MUST allow the set of RTs carried by the S-PMSI A-D
+ routes to be specified by configuration. In the absence of such
+ configuration, an S-PMSI A-D route originated by a given VRF, say
+ VRF-X, MUST carry a default set of RTs, as specified by the following
+ rules:
+
+ 1. Rule 1 of Section 7.2.2 applies.
+
+ 2. By default, if C-G is an extranet C-group, rule 2 of
+ Section 7.2.2 applies.
+
+ 3. By default, if a (C-*,C-*) S-PMSI A-D route originated by VRF-X
+ is to be used for extranet traffic, it carries the same RTs that
+ would be carried (as specified in Section 7.3.1) by an I-PMSI A-D
+ route originated by VRF-X if that I-PMSI A-D route were
+
+
+
+Rekhter, et al. Standards Track [Page 51]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ advertising an inclusive P-tunnel for carrying extranet traffic.
+ In general, a given VRF would not originate both an S-PMSI A-D
+ route advertising a (C-*,C-*) selective P-tunnel for extranet
+ traffic and an I-PMSI A-D route advertising an inclusive P-tunnel
+ for extranet traffic, as the inclusive P-tunnel would not get
+ used in that case.
+
+7.3.3. Source Active A-D Routes
+
+ The procedures of Section 7.2.3 apply.
+
+ However, if a Source Active A-D route is exported from a given VRF
+ and the route contains C-S, where C-S is an extranet C-source, then
+ the RD of the route's NLRI MUST be the extranet RD of the VRF.
+ Otherwise, the RD is the default RD of the VRF.
+
+7.4. Determining the Expected P-Tunnel for a C-Flow
+
+ This section applies whether extranet separation is used or not.
+
+ In the context of a VRF with receivers for a particular C-flow, a PE
+ must determine the P-tunnel over which packets of that C-flow are
+ expected to arrive. This is done by finding an I-PMSI or S-PMSI A-D
+ route that "matches" the flow. The matching A-D route will contain a
+ PTA that specifies the P-tunnel being used to carry the traffic of
+ that C-flow. We will refer to this P-tunnel as the "expected
+ P-tunnel" for the C-flow. (Note that, per [MVPN-IR], if the PTA
+ specifies a tunnel of type "Ingress Replication" (IR), the identifier
+ of the P-tunnel is actually the NLRI of the I-PMSI or S-PMSI A-D
+ route. If the PTA specifies a tunnel type other than IR, the
+ identifier of the P-tunnel is found in the Tunnel Identifier field of
+ the PTA.)
+
+ A PE that needs to receive a given (C-S,C-G) or (C-*,C-G) C-flow MUST
+ join the expected P-tunnel for that C-flow, and the PE MUST remain
+ joined to the P-tunnel as long as (1) the PE continues to need to
+ receive the given C-flow and (2) the P-tunnel continues to remain the
+ expected P-tunnel for that C-flow. Procedures for joining and
+ leaving a tunnel depend, of course, on the tunnel type.
+
+ If a PTA specifies a non-zero MPLS label for a tunnel that is not an
+ IR tunnel, then the PE originating the A-D route containing that PTA
+ is advertising an aggregate P-tunnel. The aggregate P-tunnel can be
+ thought of as an outer P-tunnel multiplexing some number of inner
+ P-tunnels. The inner P-tunnels are demultiplexed by means of the
+ MPLS label in the PTA. In this document, when we talk of the
+ "expected P-tunnel" in the context of an aggregate P-tunnel, we refer
+
+
+
+
+Rekhter, et al. Standards Track [Page 52]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ to a particular inner P-tunnel, not to the outer P-tunnel. It is
+ this "inner P-tunnel" that is the expected P-tunnel for a given
+ C-flow.
+
+ In order to find the expected P-tunnel for a given C-flow, the
+ upstream PE of the C-flow is first determined. Then, the S-PMSI A-D
+ routes originated by that PE are examined, and their NLRIs compared
+ to the (C-S/C-RP,C-G) of the flow, to see if there is a "match for
+ reception". (If there is no S-PMSI A-D route that matches a given
+ C-flow, the expected P-tunnel for that C-flow may have been
+ advertised in an I-PMSI A-D route; see Section 7.4.5.)
+
+ The rules for determining, in non-extranet cases, whether a given
+ C-flow is a "match for reception" for a given S-PMSI A-D route are
+ given in Section 3.2 of [RFC6625]. Note that we use the terms
+ "installed" and "originated" as they are defined in Section 3.2 of
+ [RFC6625]. (See also Section 1.1 of this document.)
+
+ This specification provides additional rules for determining whether
+ a given S-PMSI A-D route is a "match for reception" for a given
+ (C-S/C-RP,C-G). Note that these rules all assume the context of a
+ particular VRF into which the A-D route has been imported.
+
+ The rules given in [RFC6625] for determining whether a given S-PMSI
+ A-D route is a "match for transmission" remain unchanged.
+
+ Suppose that a PE has originated a C-multicast Shared Tree Join for
+ (C-*,C-G) but has not originated a C-multicast Source Tree Join for
+ (C-S,C-G). Suppose also that the PE has received and installed a
+ Source Active A-D route for (C-S,C-G). As described in Section 13.2
+ of [RFC6514], the PE must receive the (C-S,C-G) traffic from the
+ tunnel the originator of the installed Source Active A-D route uses
+ for sending (C-S,C-G).
+
+ The originator of the installed Source Active A-D route is determined
+ as follows:
+
+ 1. Look at the "UMH Route Candidate Set" for C-S, as defined in
+ Section 5.1.3 of [RFC6513].
+
+ 2. From that set, select a subset of UMH routes to C-S, such that
+ each route in the subset has at least one RT in common with the
+ Source Active A-D route and at least one of the RTs in common is
+ an import RT of the VRF.
+
+ 3. From that subset, find the route whose RD is the same as the RD
+ from the NLRI of the Source Active A-D route.
+
+
+
+
+Rekhter, et al. Standards Track [Page 53]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ 4. The upstream PE is the PE identified in the VRF Route Import
+ Extended Community of that route.
+
+ 5. The upstream AS is the AS identified in the Source AS Extended
+ Community of that route.
+
+ If step 2 results in an empty set or step 3 fails to find a route,
+ then the upstream PE of the Source Active A-D route cannot be
+ determined, and it is necessary to act as if the Source Active A-D
+ route had not been installed. (A subsequent change to the UMH Route
+ Candidate Set for C-S may require that a new attempt be made to
+ determine the upstream PE.)
+
+ Once the upstream PE is determined, the P-tunnel over which the flow
+ is expected is determined according to the procedures already
+ described in this section.
+
+7.4.1. (C-S,C-G) S-PMSI A-D Routes
+
+ When extranet functionality is being provided, an S-PMSI A-D route
+ whose NLRI contains (C-S,C-G) is NOT considered to be a "match for
+ reception" for a given C-flow (C-S,C-G) unless one of the following
+ conditions holds (in addition to the conditions specified in
+ [RFC6625]):
+
+ o the "single C-source per (C-S,C-G) or (C-S,C-*) P-tunnel" is
+ provisioned, or
+
+ o the selected UMH route for C-S has at least one RT in common with
+ the S-PMSI A-D route, and at least one of the common RTs is an
+ import RT of the VRF.
+
+7.4.2. (C-S,C-*) S-PMSI A-D Routes
+
+ When extranet functionality is being provided, an S-PMSI A-D route
+ whose NLRI contains (C-S,C-*) is NOT considered to be a "match for
+ reception" for a given C-flow (C-S,C-G) unless one of the following
+ conditions holds (in addition to the conditions specified in
+ [RFC6625]):
+
+ o the "single C-source per (C-S,C-G) or (C-S,C-*) P-tunnel" is
+ provisioned, or
+
+ o the selected UMH route for C-S has at least one RT in common with
+ the S-PMSI A-D route, and at least one of the common RTs is an
+ import RT of the VRF.
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 54]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+7.4.3. (C-*,C-G) S-PMSI A-D Routes
+
+ When extranet functionality is being provided, an S-PMSI A-D route
+ whose NLRI contains (C-*,C-G) is NOT considered to be a "match for
+ reception" for a given C-flow (C-S,C-G) in a given VRF unless either
+ condition 1 or condition 2 below holds (in addition to the conditions
+ specified in [RFC6625]):
+
+ 1. The given VRF has currently originated a C-multicast Shared Tree
+ Join route for (C-*,C-G), and
+
+ a. (C-*,C-G) matches an installed (C-*,C-G) S-PMSI A-D route
+ (according to [RFC6625]) in the given VRF, and
+
+ b. either
+
+ i. the "single C-group per (C-*,C-G) P-tunnel" policy has
+ been provisioned, or
+
+ ii. the RTs of that S-PMSI A-D route form a non-empty
+ intersection with the RTs carried in the VRF's
+ selected UMH route for C-RP of that C-G, or
+
+ iii. installed in the VRF is at least one (C-S,C-G) Source
+ Active A-D route that was originated by the same PE as
+ the (C-*,C-G) S-PMSI A-D route.
+
+ 2. The given VRF does not have a currently originated C-multicast
+ Shared Tree Join for (C-*,C-G), but
+
+ a. there are one or more values for C-S for which the VRF has a
+ currently originated Source Tree Join C-multicast route for
+ (C-S,C-G), and
+
+ b. the (C-* C-G) S-PMSI A-D route matches (according to
+ [RFC6625]) each such (C-S,C-G), and
+
+ c. either
+
+ i. the "single C-group per (C-*,C-G) P-tunnel" policy has
+ been provisioned, or
+
+ ii. the RTs of that S-PMSI A-D route form a non-empty
+ intersection with the RTs carried in the VRF's selected
+ UMH routes for each such C-S
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 55]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ If a VRF has an installed (C-*,C-G) S-PMSI A-D route but does not
+ have a (C-S,C-G) or (C-*,C-G) multicast state that matches that
+ route for reception, the procedures of Section 12.3 ("Receiving
+ S-PMSI A-D Routes by PEs") of [RFC6514] are not invoked for that
+ route. If those multicast states are created at some later time
+ when the route is still installed, the procedures of Section 12.3
+ of [RFC6514] are invoked at that time.
+
+7.4.4. (C-*,C-*) S-PMSI A-D Routes
+
+ A (C-*,C-*) S-PMSI A-D route (call it "R-AD") is NOT considered to be
+ a "match for reception" for a given C-flow (C-S,C-G) or (C-*,C-G)
+ unless the following conditions hold (in addition to the conditions
+ specified in [RFC6625]):
+
+ o The selected UMH route (call it "R-UMH") for C-S or for C-G's
+ C-RP, respectively, has at least one RT in common with R-AD, and
+ at least one of the common RTs is an import RT of the VRF.
+
+ o Either R-AD and R-UMH both carry the Extranet Separation Extended
+ Community or neither carries the Extranet Separation Extended
+ Community.
+
+7.4.5. I-PMSI A-D Routes
+
+ If a particular egress VRF in a particular egress PE contains no
+ matching S-PMSI A-D routes for a particular C-flow, then the C-flow
+ is expected to arrive (at that egress VRF) on an inclusive P-tunnel.
+
+ Suppose that an egress PE has originated a (C-S,C-G) C-multicast
+ Source Tree Join. Let R-UMH be the selected UMH route (in the given
+ egress VRF) for C-S. As specified in [RFC6514], the selected
+ upstream PE for (C-S,C-G) is determined from the VRF Route Import
+ Extended Community of R-UMH, and the "selected upstream AS" for the
+ flow is determined from the Source AS Extended Community of R-UMH.
+
+ Suppose that an egress PE has originated a (C-*,C-G) C-multicast
+ Shared Tree Join but has not originated a (C-S,C-G) C-multicast
+ Source Tree Join. If the egress VRF does not have a (C-S,C-G) Source
+ Active A-D route installed, the selected upstream PE is determined
+ from the VRF Route Import Extended Community of the installed
+ UMH-eligible route matching C-RP, where C-RP is the RP for the group
+ C-G. The selected upstream AS for the flow is determined from the
+ Source AS Extended Community of that route. If the egress VRF does
+ have a (C-S,C-G) Source Active A-D route installed, the selected
+ upstream PE and upstream AS are determined as specified in
+ Section 7.4. In either case, let R-UMH be the installed UMH-eligible
+ route matching C-S.
+
+
+
+Rekhter, et al. Standards Track [Page 56]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ The inclusive P-tunnel that is expected to be carrying a particular
+ C-flow is found as follows:
+
+ o If the selected upstream AS is the local AS or segmented Inter-AS
+ P-tunnels are not being used to instantiate I-PMSIs, then look in
+ the VRF for an installed Intra-AS I-PMSI A-D route, R-AD, such
+ that (a) R-AD is originated by the selected upstream PE, (b) R-AD
+ has at least one RT in common with R-UMH, (c) at least one of the
+ common RTs is an import RT of the local VRF, and (d) either R-AD
+ and R-UMH both carry the Extranet Separation Extended Community or
+ neither carries the Extranet Separation Extended Community.
+
+ The PTA of R-AD specifies the P-tunnel over which the traffic of
+ the given C-flow is expected.
+
+ o If the selected upstream AS is not the local AS and segmented
+ Inter-AS P-tunnels are being used to instantiate I-PMSIs, then
+ look in the VRF for an installed Inter-AS I-PMSI A-D route, R-AD,
+ such that (a) the Source AS field of R-AD's NLRI contains the AS
+ number of the selected upstream AS, (b) R-AD has at least one RT
+ in common with R-UMH, (c) at least one of the common RTs is an
+ import RT of the local VRF, and (d) either R-AD and R-UMH both
+ carry the Extranet Separation Extended Community or neither
+ carries the Extranet Separation Extended Community.
+
+ The PTA of R-AD specifies the P-tunnel over which the traffic of
+ the given C-flow is expected.
+
+7.5. Packets Arriving from the Wrong P-Tunnel
+
+ Any packets that arrive on a P-tunnel other than the expected
+ P-tunnel (as defined in Section 7.4) MUST be discarded unless it is
+ known that all the packets carried by both P-tunnels are from the
+ same ingress VRF. (See Section 2.3.1 for a more detailed discussion
+ of when to discard packets from other than the expected P-tunnel.)
+ Note that packets arriving on the wrong P-tunnel are to be discarded
+ even if they are arriving from the expected PE.
+
+8. Multiple Extranet VRFs on the Same PE
+
+ When multiple VRFs that contain extranet receivers for a given
+ extranet source are present on the same PE, this PE becomes a single
+ leaf of the P-tunnel used for sending (multicast) traffic from that
+ source to these extranet receivers. The PE MUST be able to replicate
+ this traffic to the multiple VRFs. Specific procedures for doing so
+ are local to the PE and are outside the scope of this document.
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 57]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ Two or more VRFs on the same PE may import the same S-PMSI A-D route.
+ If this S-PMSI A-D route contains a PTA that has its "Leaf
+ Information Required" flag set, it may be necessary for the PE to
+ originate a Leaf A-D route whose NLRI is computed from the NLRI of
+ the S-PMSI A-D route. (Details are provided in [RFC6514].) Note
+ that for a given S-PMSI A-D route, the PE can originate only one
+ corresponding Leaf A-D route, even if the S-PMSI A-D route is
+ imported into multiple VRFs. This Leaf A-D route can thus be thought
+ of as originating from several VRFs. It MUST NOT be withdrawn by the
+ PE until there are no longer any VRFs originating it.
+
+ [RFC6514] specifies conditions under which a PE originates a
+ C-multicast Source Tree Join or a C-multicast Shared Tree Join, based
+ on the (*,G) and (S,G) states associated with a given VRF. It also
+ specifies the procedure for computing the NLRI of each such route.
+ While a given PE may contain two or more VRFs that have (extranet)
+ receivers for the same extranet C-flow, the PE cannot originate more
+ than one BGP route with a given NLRI. If there are multiple VRFs,
+ each of which has state that is sufficient to cause a given
+ C-multicast route to be originated, the route can be thought of as
+ originating from several VRFs. It MUST NOT be withdrawn by the PE
+ until there is no longer any VRF with multicast state sufficient to
+ cause the route to be originated.
+
+ For a given extranet, the site(s) that contains the extranet
+ source(s) and the site(s) that contains the extranet receiver(s) may
+ be connected to the same PE. In this scenario, the procedures by
+ which (multicast) traffic from these sources is delivered to these
+ receivers are local to the PE and are outside the scope of this
+ document.
+
+ An implementation MUST support multiple extranet VRFs on a PE.
+
+9. IANA Considerations
+
+ IANA has allocated two new codepoints from the "First Come First
+ Served" [RFC5226] range of the "Transitive Opaque Extended Community
+ Sub-Types" registry (under the top-level registry "Border Gateway
+ Protocol (BGP) Extended Communities" registry).
+
+ o Extranet Source Extended Community (0x04)
+
+ o Extranet Separation Extended Community (0x05)
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 58]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+10. Security Considerations
+
+ The security considerations of [RFC6513] and [RFC6514] are
+ applicable.
+
+ As is the case with any application of technology based upon
+ [RFC4364], misconfiguration of the RTs may result in VPN security
+ violations (i.e., may result in a packet being delivered to a VPN
+ where, according to policy, it is not supposed to go).
+
+ In those cases where the set of extranet sources of a particular VRF
+ are manually configured, improper configuration of the VRF can result
+ in VPN security violations -- traffic from a host that is not an
+ extranet source may be treated as if it were traffic from an extranet
+ source.
+
+ Section 4.4 specifies the optional use of a new Extended Community --
+ the Extranet Source Extended Community. Security considerations
+ regarding the use and distribution of that Extended Community are
+ discussed in that section.
+
+ The procedures of this document do not provide encryption of the data
+ flows that are sent across the SP backbone network. Hence, these
+ procedures do not by themselves ensure the privacy or integrity of
+ the data against attacks on the backbone network.
+
+ In general, different VPNs are allowed to have overlapping IP address
+ spaces; i.e., a host in one VPN may have the same IP address as a
+ host in another. This is safe because the customer routes from a
+ given VPN do not pass into other VPNs. Even if there are overlapping
+ address spaces among VPNs, the routes that are known at any given VPN
+ site are unambiguous, as long as the address space of that VPN is
+ unambiguous. However, this is not necessarily true when extranet
+ service is provided. If an extranet C-receiver in VPN-R is to be
+ able to receive multicast traffic from an extranet C-source in VPN-S,
+ then the address of the VPN-S extranet C-source must be imported into
+ one or more VPN-R VRFs. If that address is also the address of a
+ VPN-R non-extranet C-source, then a system attempting to receive an
+ extranet C-flow from the VPN-R extranet C-source may instead receive
+ a non-extranet C-flow from the VPN-S C-source. Otherwise, a VPN
+ security violation may result.
+
+ That is, when provisioning an extranet between two VPNs that have
+ overlapping address spaces, one must ensure that the IP addresses of
+ the extranet sources and the extranet receivers are not from the
+ overlapping part of the address space. This document specifies that
+ if a route is imported into a given VRF, all addresses that match
+ that route must be unambiguous in the context of that VRF. Improper
+
+
+
+Rekhter, et al. Standards Track [Page 59]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ provisioning of the extranet source addresses or improper
+ provisioning of the RTs may cause this rule to be violated and may
+ result in a VPN security violation.
+
+ It is possible that a given multicast C-source is the source of
+ multiple flows, some of which are intended to be extranet C-flows and
+ some of which are intended to be non-extranet flows. However, the
+ procedures of this document will allow any C-receiver that is able to
+ receive the extranet C-flows from a given C-source to also receive
+ the non-extranet C-flows from that source. As a result, VPN security
+ violations may result if any system is a C-source for both extranet
+ and non-extranet C-flows. However, the set of C-flows transmitted by
+ a given C-source is not under the control of the SP. SPs who offer
+ the extranet MVPN service must make sure that this potential for VPN
+ security violations is clearly understood by the customers who
+ administer the C-sources.
+
+ This specification does not require that UMH-eligible routes be "host
+ routes"; they may be less specific routes. So, it is possible for
+ the NLRI of a UMH-eligible route to contain an address prefix that
+ matches the address of both an extranet C-source and a non-extranet
+ C-source. If such a route is exported from a VPN-S VRF and imported
+ by a VPN-R VRF, C-receivers contained in VPN-R will be able to
+ receive C-flows from the non-extranet C-sources whose addresses match
+ that route. This may result in VPN security violations. Service
+ providers who offer the extranet MVPN service must make sure that
+ this is clearly understood by the customers who administer the
+ distribution of routes from CE routers to PE routers.
+
+ If the address ambiguities described in Sections 2.1 and 2.2 are not
+ prohibited by deployment of the policies described in Section 2.3.2,
+ VRFs must be able to discard traffic that arrives on the wrong
+ P-tunnel (as specified in Sections 2.3.1 and 7.5). Otherwise, VPN
+ security violations may occur.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 60]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+11. References
+
+11.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended
+ Communities Attribute", RFC 4360, DOI 10.17487/RFC4360,
+ February 2006, <http://www.rfc-editor.org/info/rfc4360>.
+
+ [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
+ Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364,
+ February 2006, <http://www.rfc-editor.org/info/rfc4364>.
+
+ [RFC6513] Rosen, E., Ed., and R. Aggarwal, Ed., "Multicast in
+ MPLS/BGP IP VPNs", RFC 6513, DOI 10.17487/RFC6513,
+ February 2012, <http://www.rfc-editor.org/info/rfc6513>.
+
+ [RFC6514] Aggarwal, R., Rosen, E., Morin, T., and Y. Rekhter, "BGP
+ Encodings and Procedures for Multicast in MPLS/BGP IP
+ VPNs", RFC 6514, DOI 10.17487/RFC6514, February 2012,
+ <http://www.rfc-editor.org/info/rfc6514>.
+
+ [RFC6625] Rosen, E., Ed., Rekhter, Y., Ed., Hendrickx, W., and R.
+ Qiu, "Wildcards in Multicast VPN Auto-Discovery Routes",
+ RFC 6625, DOI 10.17487/RFC6625, May 2012,
+ <http://www.rfc-editor.org/info/rfc6625>.
+
+ [RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP
+ Extended Communities", RFC 7153, DOI 10.17487/RFC7153,
+ March 2014, <http://www.rfc-editor.org/info/rfc7153>.
+
+ [RFC7761] Fenner, B., Handley, M., Holbrook, H., Kouvelas, I.,
+ Parekh, R., Zhang, Z., and L. Zheng, "Protocol Independent
+ Multicast - Sparse Mode (PIM-SM): Protocol Specification
+ (Revised)", STD 83, RFC 7761, DOI 10.17487/RFC7761,
+ March 2016, <http://www.rfc-editor.org/info/rfc7761>.
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 61]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+11.2. Informative References
+
+ [MVPN-IR] Rosen, E., Ed., Subramanian, K., and Z. Zhang, "Ingress
+ Replication Tunnels in Multicast VPN", Work in Progress,
+ draft-ietf-bess-ir-03, April 2016.
+
+ [RFC3446] Kim, D., Meyer, D., Kilmer, H., and D. Farinacci, "Anycast
+ Rendevous Point (RP) mechanism using Protocol Independent
+ Multicast (PIM) and Multicast Source Discovery Protocol
+ (MSDP)", RFC 3446, DOI 10.17487/RFC3446, January 2003,
+ <http://www.rfc-editor.org/info/rfc3446>.
+
+ [RFC3618] Fenner, B., Ed., and D. Meyer, Ed., "Multicast Source
+ Discovery Protocol (MSDP)", RFC 3618,
+ DOI 10.17487/RFC3618, October 2003,
+ <http://www.rfc-editor.org/info/rfc3618>.
+
+ [RFC4610] Farinacci, D. and Y. Cai, "Anycast-RP Using Protocol
+ Independent Multicast (PIM)", RFC 4610,
+ DOI 10.17487/RFC4610, August 2006,
+ <http://www.rfc-editor.org/info/rfc4610>.
+
+ [RFC4875] Aggarwal, R., Ed., Papadimitriou, D., Ed., and S.
+ Yasukawa, Ed., "Extensions to Resource Reservation
+ Protocol - Traffic Engineering (RSVP-TE) for Point-to-
+ Multipoint TE Label Switched Paths (LSPs)", RFC 4875,
+ DOI 10.17487/RFC4875, May 2007,
+ <http://www.rfc-editor.org/info/rfc4875>.
+
+ [RFC5015] Handley, M., Kouvelas, I., Speakman, T., and L. Vicisano,
+ "Bidirectional Protocol Independent Multicast
+ (BIDIR-PIM)", RFC 5015, DOI 10.17487/RFC5015,
+ October 2007, <http://www.rfc-editor.org/info/rfc5015>.
+
+ [RFC5059] Bhaskar, N., Gall, A., Lingard, J., and S. Venaas,
+ "Bootstrap Router (BSR) Mechanism for Protocol Independent
+ Multicast (PIM)", RFC 5059, DOI 10.17487/RFC5059,
+ January 2008, <http://www.rfc-editor.org/info/rfc5059>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 62]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
+ DOI 10.17487/RFC5226, May 2008,
+ <http://www.rfc-editor.org/info/rfc5226>.
+
+ [RFC6388] Wijnands, IJ., Ed., Minei, I., Ed., Kompella, K., and B.
+ Thomas, "Label Distribution Protocol Extensions for Point-
+ to-Multipoint and Multipoint-to-Multipoint Label Switched
+ Paths", RFC 6388, DOI 10.17487/RFC6388, November 2011,
+ <http://www.rfc-editor.org/info/rfc6388>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 63]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+Acknowledgments
+
+ The authors wish to thank DP Ayyadevara, Robert Kebler, Padmini
+ Misra, Rayen Mohanty, Maria Napierala, Karthik Subramanian, and Kurt
+ Windisch for their contributions to this work.
+
+ We also wish to thank Lizhong Jin and Rishabh Parekh for their
+ reviews and comments.
+
+ Special thanks to Jeffrey (Zhaohui) Zhang for his careful review and
+ for providing the ASCII art appearing in Section 2.
+
+Contributors
+
+ Below is a list of other contributing authors, in alphabetical order:
+
+ Wim Henderickx
+ Nokia
+ Copernicuslaan 50
+ Antwerp 2018
+ Belgium
+
+ Email: wim.henderickx@nokia.com
+
+
+ Praveen Muley
+ Nokia
+
+ Email: Praveen.Muley@nokia.com
+
+
+ Ray Qiu
+ Juniper Networks, Inc.
+ 1194 North Mathilda Avenue
+ Sunnyvale, CA 94089
+ United States
+
+ Email: rqiu@juniper.net
+
+
+ IJsbrand Wijnands
+ Cisco Systems, Inc.
+ De Kleetlaan 6a
+ Diegem 1831
+ Belgium
+
+ Email: ice@cisco.com
+
+
+
+
+Rekhter, et al. Standards Track [Page 64]
+
+RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016
+
+
+Authors' Addresses
+
+ Yakov Rekhter (editor)
+ Juniper Networks, Inc.
+ 1194 North Mathilda Avenue
+ Sunnyvale, CA 94089
+ United States
+
+
+ Eric C. Rosen (editor)
+ Juniper Networks, Inc.
+ 10 Technology Park Drive
+ Westford, Massachusetts 01886
+ United States
+
+ Email: erosen@juniper.net
+
+
+ Rahul Aggarwal
+ Arktan
+
+ Email: raggarwa_1@yahoo.com
+
+
+ Yiqun Cai
+ Alibaba Group
+ 400 S El Camino Real #400
+ San Mateo, CA 94402
+ United States
+
+ Email: yiqun.cai@alibaba-inc.com
+
+
+ Thomas Morin
+ Orange
+ 2 Avenue Pierre-Marzin
+ 22307 Lannion Cedex
+ France
+
+ Email: thomas.morin@orange.com
+
+
+
+
+
+
+
+
+
+
+
+Rekhter, et al. Standards Track [Page 65]
+