From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc7900.txt | 3643 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 3643 insertions(+) create mode 100644 doc/rfc/rfc7900.txt (limited to 'doc/rfc/rfc7900.txt') diff --git a/doc/rfc/rfc7900.txt b/doc/rfc/rfc7900.txt new file mode 100644 index 0000000..2a6b8cd --- /dev/null +++ b/doc/rfc/rfc7900.txt @@ -0,0 +1,3643 @@ + + + + + + +Internet Engineering Task Force (IETF) Y. Rekhter, Ed. +Request for Comments: 7900 E. Rosen, Ed. +Updates: 6513, 6514, 6625 Juniper Networks, Inc. +Category: Standards Track R. Aggarwal +ISSN: 2070-1721 Arktan + Y. Cai + Alibaba Group + T. Morin + Orange + June 2016 + + + Extranet Multicast in BGP/IP MPLS VPNs + +Abstract + + Previous RFCs specify the procedures necessary to allow IP multicast + traffic to travel from one site to another within a BGP/MPLS IP VPN + (Virtual Private Network). However, it is sometimes desirable to + allow multicast traffic whose source is in one VPN to be received by + systems that are in another VPN. This is known as a "Multicast VPN + (MVPN) extranet". This document updates RFCs 6513, 6514, and 6625 by + specifying the procedures that are necessary in order to provide + extranet MVPN service. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7900. + + + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 1] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +Copyright Notice + + Copyright (c) 2016 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction ....................................................4 + 1.1. Terminology ................................................4 + 1.2. Scope ......................................................7 + 1.2.1. Customer Multicast Control Protocols ................7 + 1.2.2. Provider Multicast Control Protocols ................7 + 1.3. Clarification on Use of Route Distinguishers ...............8 + 1.4. Overview ...................................................9 + 2. Extranets and Overlapping Address Spaces .......................12 + 2.1. Ambiguity: P-Tunnel with Extranet/Non-extranet Flows ......14 + 2.2. Ambiguity: P-Tunnel with Multiple Extranet Flows ..........16 + 2.3. Preventing Misdelivery in These Scenarios .................18 + 2.3.1. Do Not Deliver Packets from the Wrong P-tunnel .....18 + 2.3.2. Policies to Prevent Ambiguity on a P-Tunnel ........20 + 3. Extranet Transmission Models ...................................21 + 3.1. Transmitting an Extranet C-Flow on a Single PMSI ..........21 + 3.1.1. Without Extranet Separation ........................22 + 3.1.2. With Extranet Separation ...........................22 + 3.2. Transmitting an Extranet C-Flow over Multiple PMSIs .......23 + 4. Distribution of Routes That Match C-S/C-RP Addresses ...........23 + 4.1. UMH-Eligible Routes .......................................23 + 4.1.1. Extranet Separation ................................24 + 4.2. Distribution of Unicast Routes Matching C-RPs and DRs .....25 + 4.3. Route Targets and Ambiguous UMH-Eligible Routes ...........26 + 4.4. Dynamically Marking Extranet Routes .......................27 + 4.4.1. The Extranet Source Extended Community .............27 + 4.4.2. Distribution of Extranet Source Extended + Community ..........................................29 + 4.5. The Extranet Separation Extended Community ................30 + + + + + + +Rekhter, et al. Standards Track [Page 2] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + 5. Origination and Distribution of BGP A-D Routes .................30 + 5.1. Route Targets of UMH-Eligible Routes and A-D Routes .......30 + 5.2. Considerations for Particular Inclusive Tunnel Types ......33 + 5.2.1. RSVP-TE P2MP or Ingress Replication ................33 + 5.2.2. Ingress Replication ................................34 + 6. When PIM Is the PE-PE C-Multicast Control Plane ................35 + 6.1. Provisioning VRFs with RTs ................................36 + 6.1.1. Incoming and Outgoing Extranet RTs .................36 + 6.1.2. UMH-Eligible Routes and RTs ........................37 + 6.1.3. PIM C-Instance Reverse Path Forwarding + Determination ......................................37 + 6.2. "Single PMSI per C-Flow" Model ............................38 + 6.2.1. Forming the MI-PMSIs ...............................38 + 6.2.2. S-PMSIs ............................................41 + 6.2.3. Sending PIM Control Packets ........................42 + 6.2.4. Receiving PIM Control Packets ......................43 + 6.2.5. Sending and Receiving Data Packets .................43 + 6.3. "Multiple PMSIs per C-Flow" Model .........................43 + 6.3.1. Forming the MI-PMSIs ...............................44 + 7. When BGP Is the PE-PE C-Multicast Control Plane ................46 + 7.1. Originating C-Multicast Routes ............................46 + 7.2. Originating A-D Routes without Extranet Separation ........47 + 7.2.1. Intra-AS I-PMSI A-D Routes .........................47 + 7.2.2. S-PMSI A-D Routes ..................................47 + 7.2.3. Source Active A-D Routes ...........................48 + 7.2.3.1. When Inter-Site Shared Trees Are Used .....48 + 7.2.3.2. When Inter-Site Shared Trees Are + Not Used ..................................49 + 7.3. Originating A-D Routes with Extranet Separation ...........49 + 7.3.1. Intra-AS I-PMSI A-D Routes .........................49 + 7.3.2. S-PMSI A-D Routes ..................................50 + 7.3.3. Source Active A-D Routes ...........................52 + 7.4. Determining the Expected P-Tunnel for a C-Flow ............52 + 7.4.1. (C-S,C-G) S-PMSI A-D Routes ........................54 + 7.4.2. (C-S,C-*) S-PMSI A-D Routes ........................54 + 7.4.3. (C-*,C-G) S-PMSI A-D Routes ........................55 + 7.4.4. (C-*,C-*) S-PMSI A-D Routes ........................56 + 7.4.5. I-PMSI A-D Routes ..................................56 + 7.5. Packets Arriving from the Wrong P-Tunnel ..................57 + 8. Multiple Extranet VRFs on the Same PE ..........................57 + 9. IANA Considerations ............................................58 + 10. Security Considerations .......................................59 + 11. References ....................................................61 + 11.1. Normative References .....................................61 + 11.2. Informative References ...................................62 + Acknowledgments ...................................................64 + Contributors ......................................................64 + Authors' Addresses ................................................65 + + + +Rekhter, et al. Standards Track [Page 3] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +1. Introduction + + Previous RFCs [RFC6513] [RFC6514] specify the procedures necessary to + allow IP multicast traffic to travel from one site to another within + a BGP/MPLS IP VPN (Virtual Private Network). However, it is + sometimes desirable to allow multicast traffic whose source is in one + VPN to be received by systems that are in another VPN. This is known + as an "extranet Multicast VPN (MVPN)". This document specifies the + procedures that are necessary in order to provide extranet MVPN + functionality. + + This document updates RFCs 6513, 6514, and 6625 by specifying the + procedures that are necessary in order to provide extranet MVPN + service. + +1.1. Terminology + + This document uses terminology from [RFC6513] and in particular uses + the prefixes "C-" and "P-" as specified in Section 3.1 of [RFC6513], + and "A-D routes" for "auto-discovery routes". + + The term "Upstream Multicast Hop" (UMH) is used as defined in + [RFC6513]. + + The term "UMH-eligible route" is used to mean "route eligible for UMH + determination", as defined in Section 5.1.1 of [RFC6513]. We will + say that a given UMH-eligible route or unicast route "matches" a + given IP address, in the context of a given Virtual Routing and + Forwarding table (VRF), if the address prefix of the given route is + the longest match in that VRF for the given IP address. We will + sometimes say that a route "matches" a particular host if the route + matches an IP address of the host. + + We follow the terminology of Section 3.2 of [RFC6625] when talking of + a "Selective Provider Multicast Service Interface" (S-PMSI) A-D route + being "installed". That is, we say that an S-PMSI A-D route is + "installed" (in a given VRF) if it has been selected by the BGP + decision process as the preferred route for its Network Layer + Reachability Information (NLRI). We also follow the terminology of + Section 3.2 of [RFC6625] when saying that an S-PMSI A-D route has + been "originated by a given PE"; this means that the given Provider + Edge's (PE's) IP address is contained in the Originating Router's IP + Address field in the NLRI of the route. + + + + + + + + +Rekhter, et al. Standards Track [Page 4] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + We use the following additional terminology and notation: + + o Extranet C-source: a multicast source, in a given VPN, that is + allowed by policy to send multicast traffic to receivers that are + in other VPNs. + + o Extranet C-receiver: a multicast receiver, in a given VPN, that is + allowed by policy to receive multicast traffic from extranet + C-sources that are in other VPNs. + + o Extranet C-flow: a multicast flow (with a specified C-source + address and C-group address) with the following properties: its + source is an extranet C-source, and it is allowed by policy to + have extranet C-receivers. + + o Extranet C-group: a multicast group address that is in the + "Any-Source Multicast" (ASM) group address range and that is + allowed by policy to have extranet C-sources and extranet + C-receivers that are not all in the same VPN. Note that we will + sometimes refer to "Source-Specific Multicast (SSM) C-group + addresses" (i.e., C-group addresses in the SSM group address + range) but will never call them "extranet C-groups". + + N.B.: Any source of traffic for an extranet C-group is considered + to be an extranet C-source, and any receiver of traffic addressed + to an extranet C-group is considered to be an extranet C-receiver. + + o Extranet C-RP: a multicast Rendezvous Point (RP) for an extranet + C-group; it is allowed by policy to receive PIM Register messages + [RFC7761] from outside its VPN and to send multicast data packets + to extranet C-receivers outside its VPN. + + o Host(C-S,A): the host (or, if C-S is an "anycast address", the set + of hosts) denoted by the address C-S in the context of VPN-A. For + example, if a particular C-source in VPN-A has address C-S, then + Host(C-S,A) refers to that C-source. + + o "SAFI n" route: a BGP route whose Address Family Identifier (AFI) + is either 1 (IPv4) or 2 (IPv6) and whose Subsequent Address Family + Identifier (SAFI) is "n". + + o PTA: PMSI Tunnel Attribute [RFC6514]. + + + + + + + + + +Rekhter, et al. Standards Track [Page 5] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + Note that a given extranet C-source is not necessarily allowed to + transmit to every extranet C-receiver; policy determines which + extranet C-sources are allowed to transmit to which extranet + C-receivers. However, in the case of an extranet (ASM) C-group, all + transmitters to the group are allowed to transmit to all the + receivers of the group, and all the receivers of the group are + allowed to receive from all transmitters to the group. + + We say that a given VRF "contains" or "has" a multicast C-source (or + that the C-source is "in" the VRF) if that C-source is in a site + connected to that VRF and the VRF originates a UMH-eligible route + (see Section 4) that matches the address of the C-source. + + We say that a given VRF "contains" or "has" a multicast C-receiver + (or that the C-receiver is "in" the VRF) if that C-receiver is in a + site connected to that VRF. + + We say that a given VRF "contains" or "has" the C-RP for a given ASM + group (or that the C-RP is "in" the VRF) if that C-RP is in a site + connected to that VRF and the VRF originates a unicast route and a + (possibly different, possibly the same) UMH-eligible route (see + Section 4) whose respective address prefixes match the C-RP address. + + [RFC6513] allows a set of "P-tunnels" (defined in Section 3.2 of + [RFC6513]) to be aggregated together and transported via an outer + P-tunnel; i.e., it allows for the use of hierarchical Label Switched + Paths (LSPs) as P-tunnels. A two-level hierarchical LSP, for + example, can be thought of as a set of "inner tunnels" aggregated + into an outer tunnel. In this document, when we speak of a P-tunnel, + we are always speaking of the innermost P-tunnel, i.e., of a P-tunnel + at the lowest hierarchical level. P-tunnels are identified in the + PMSI Tunnel attributes ("PTAs" in this document) [RFC6514] of BGP + auto-discovery (A-D) routes. Two PTAs that have the same Tunnel Type + and Tunnel Identifier fields but different MPLS label fields are thus + considered to identify two different P-tunnels. (That is, for the + purposes of this document, the MPLS label included in the PTA, if + any, is considered to be part of the tunnel identifier.) + + We say that the NLRI of a BGP S-PMSI A-D route or Source Active A-D + route contains (C-S,C-G) if its Multicast Source field contains C-S + and its Multicast Group field contains C-G. If either or both of + these fields are encoded as a wildcard, we will say that the NLRI + contains (C-*,C-*) (both fields encoded as wildcards), (C-*,C-G) + (Multicast Source field encoded as a wildcard), or (C-S,C-*) + (Multicast Group field encoded as a wildcard). + + + + + + +Rekhter, et al. Standards Track [Page 6] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + We use the term "VPN security violation" to refer to any situation in + which a packet is delivered to a particular VPN, even though, by + policy, it should not be delivered to that VPN. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + [RFC2119]. + +1.2. Scope + +1.2.1. Customer Multicast Control Protocols + + This document presumes that the VPN customer is using PIM - Sparse + Mode (PIM-SM) [RFC7761] as the multicast control protocol at the + customer sites. PIM-SM may be used in either the ASM service model + or the SSM service model; this document covers both cases. Support + for other customer IP multicast control protocols (e.g., [RFC5015], + PIM - Dense Mode) is outside the scope of this document. Support for + the use of MPLS multicast control protocols (e.g., [RFC6388] + [RFC4875]) by customer sites is also outside the scope of this + document. + + When a VPN customer uses ASM, the customer routers need to be able to + map from a C-group address to a C-RP address. These mappings can be + provisioned in each router, or they can be discovered dynamically + through protocols such as the Bootstrap Router (BSR) mechanism + [RFC5059]. However, it cannot be assumed that such protocols will + automatically work in the context of an extranet. Discussion of the + use of such protocols in an extranet is outside the scope of this + document. + +1.2.2. Provider Multicast Control Protocols + + [RFC6513] allows either PIM or BGP to be used as the protocol for + distributing customer multicast routing information. Except where + otherwise specified, such as in Sections 6 and 7, the procedures of + this document cover both cases. + + + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 7] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +1.3. Clarification on Use of Route Distinguishers + + [RFC4364] requires that every VRF be associated with one or more + Route Distinguishers (RDs). Each VPN-IPv4 or VPN-IPv6 route that is + exported from a particular VRF contains, in its NLRI, an RD that is + associated with that VRF. + + [RFC4364] allows a given RD to be associated with more than one VRF, + as long as all the VRFs associated with that RD belong to the same + VPN. However, in the most common deployment model, each RD is + associated with one and only one VRF. [RFC6513] and [RFC6514] + presuppose this deployment model. That is, [RFC6513] and [RFC6514] + presuppose that every RD is associated with one and only one VRF. We + will call this the "unique VRF per RD" condition. + + [RFC6514] defines the MCAST-VPN address family, which has a number of + route types. Each Intra-Autonomous System (Intra-AS) "Inclusive + Provider Multicast Service Interface" (I-PMSI) A-D route, S-PMSI A-D + route, and Source Active A-D route, when exported from a given VRF, + contains, in its NLRI, an RD that is associated with the VRF. + [RFC6513] and [RFC6514] also discuss a class of routes known as + "UMH-eligible" routes; when a UMH-eligible route is exported from a + given VRF, its NLRI contains an RD of the VRF. + + [RFC6514] also defines MCAST-VPN routes whose NLRIs do not contain an + RD of the VRF from which they are exported: the C-multicast Join + routes and the Leaf A-D routes. + + Those route types that, when exported from a given VRF, contain (in + their NLRIs) an RD of the VRF, will be known in this document as + "local-RD routes". + + Given the "unique VRF per RD" condition, if one sees that two + local-RD routes have the same RD, one can infer that the two routes + originated from the same VRF. This inference can be drawn even if + the two routes do not have the same SAFI, as long as the two routes + are both local-RD routes. + + This document builds upon [RFC6513] and [RFC6514]; therefore, the + "unique VRF per RD" condition is REQUIRED. + + [RFC6514] presupposes a further requirement on the use of RDs in the + local-RD routes exported from a given VRF. Suppose that a given VRF + exports a Source Active A-D route containing (C-S,C-G). That VRF + will also export a UMH-eligible route matching C-S. [RFC6514] + presupposes that the UMH-eligible route and the Source Active A-D + route have the same RD. + + + + +Rekhter, et al. Standards Track [Page 8] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + In most cases, not only is a given RD associated with only a single + VRF, but a given VRF is associated with only a single RD. We will + call this the "unique RD per VRF" condition. When this condition + holds, all the local-RD routes exported from a given VRF will have + the same RD. This ensures that the presupposition of the previous + paragraph will hold, i.e., that the RD in a Source Active A-D route + exported from a given VRF will have the same RD as the corresponding + UMH-eligible route exported from the same VRF. + + Section 7.3 of this document describes a procedure known as "extranet + separation". When extranet separation is NOT being used, it is + REQUIRED by this document that the "unique RD per VRF" condition + hold. This ensures that all the local-RD routes exported from a + given VRF will have the same RD. + + When extranet separation is used, a VRF that contains both extranet + sources and non-extranet sources MUST be configured with two RDs. + One of these RDs is known as the "default RD", and the other is known + as the "extranet RD". It MUST be known by configuration which RD is + the default RD and which is the extranet RD. + + When a VRF is configured with only one RD, we will refer to that RD + as the "default RD". + + In general, local-RD routes exported from a given VRF will contain + the default RD. However, when extranet separation is used, some of + the local-RD routes exported from the VRF will contain the + extranet RD. Details concerning the exported routes that contain + the extranet RD can be found in Sections 4.1 and 7.3. + + Note that the "unique VRF per RD" condition applies to the + extranet RD as well as the default RD. That is, a given extranet RD + is associated with a unique VRF. + +1.4. Overview + + Consider two VPNs, VPN-S and VPN-R, each of which supports MVPN + functionality as specified in [RFC6513] and/or [RFC6514]. In the + simplest configuration, VPN-S is a collection of VRFs, each of which + is configured with a particular Route Target (RT) value (call it + "RT-S") as its import RT and as its export RT. Similarly, VPN-R is a + collection of VRFs, each of which is configured with a particular RT + value (call it "RT-R") as its import RT and as its export RT. + + + + + + + + +Rekhter, et al. Standards Track [Page 9] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + In this configuration, multicast C-receivers contained in a VPN-R VRF + cannot receive multicast data traffic from multicast C-sources + contained in a VPN-S VRF. If it is desired to allow this, one needs + to create an MVPN "extranet". Creating an extranet requires + procedures in addition to those specified in [RFC6513], [RFC6514], + and [RFC6625]; this document specifies these additional procedures. + + In the example above, the additional procedures will allow a selected + set of routes exported from the VPN-S VRFs (i.e., from the VRFs + containing extranet C-sources) to be imported into the VPN-R VRFs + (i.e., into the VRFs containing extranet C-receivers). These routes + include the routes that are to be eligible for use as UMH routes (see + Section 5.1 of [RFC6513]) in the extranet, as well as a selected set + of BGP A-D routes (Intra-AS I-PMSI A-D routes, S-PMSI A-D routes, and + Source Active A-D routes). Importing these routes into the VPN-R + VRFs makes it possible to determine, in the context of a VPN-R VRF, + that a particular C-multicast Join needs to be delivered to a + particular VPN-S VRF. It also makes it possible to determine, in the + context of a VPN-R VRF, the P-tunnel through which the aforementioned + VPN-S VRF sends a particular C-flow. + + Depending on the type of P-tunnel used, it may also be necessary for + Leaf A-D routes to be exported by one or more VPN-R VRFs and imported + into a VPN-S VRF. + + There are no extranet-specific procedures governing the use and + distribution of BGP C-multicast routes. + + If PIM is used as the PE-PE protocol for distributing C-multicast + routing information, additional BGP A-D routes must be exported from + the VPN-R VRFs and imported into the VPN-S VRFs, so that the VPN-S + VRFs can join the P-tunnels that the VPN-R VRFs use for sending PIM + control messages. Details can be found in Section 6. + + The simple example above describes an extranet created from two + MVPNs, one of which contains extranet C-sources and one of which + contains extranet C-receivers. However, the procedures described in + this document allow for much more complicated scenarios. + + For instance, an extranet may contain extranet C-sources and/or + extranet C-receivers from an arbitrary number of VPNs, not just from + two VPNs. An extranet C-receiver in VPN-R may be allowed to receive + multicast traffic from extranet C-sources in VPN-A, VPN-B, and VPN-C. + Similarly, extranet C-sources in VPN-S may be allowed to send + multicast traffic to multicast C-receivers that are in VPN-A, VPN-B, + VPN-C, etc. + + + + + +Rekhter, et al. Standards Track [Page 10] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + A given VPN customer may desire that only some of its multicast + C-sources be treated as extranet C-sources. This can be accomplished + by appropriate provisioning of the import and export RTs of that + customer's VRFs (as well as the VRFs of other VPNs that contain + extranet C-receivers for extranet C-flows of the given customer). + + A given VPN customer may desire that some of its extranet C-sources + can transmit only to a certain set of VPNs while other of its + extranet C-sources can transmit only to a different set of VPNs. + This can be accomplished by provisioning the VRFs to export different + routes with different RTs. + + In all these cases, the VPN customers set the policies, and the + Service Provider (SP) implements the policies by the way it + provisions the import and export RTs of the VRFs. It is assumed that + the customer communicates to the SP the set of extranet C-source + addresses and the set of VPNs to which each C-source can transmit. + (Recall that every C-source that can transmit to an extranet C-group + is an extranet C-source and must be able to transmit to any VPN that + has receivers for that group. This must be taken into account when + the provisioning is done.) This customer/SP communication is part of + the service provisioning process and is outside the scope of this + document. + + It is possible that an extranet C-source will transmit both extranet + C-flows and non-extranet C-flows. However, if extranet C-receiver + C-R can receive extranet C-flows from extranet C-source C-S, the + procedures of this document do not prevent C-R from requesting and + receiving the non-extranet flows that are transmitted by C-S. + Therefore, allowing an extranet C-source to transmit non-extranet + C-flows is NOT RECOMMENDED. However, the SP has no control over the + set of C-flows transmitted by a given C-source and can do no more + than communicate this recommendation to its customers. + (Alternatively, the customer and SP may coordinate on setting up + filters to prevent unauthorized flows from being sent to a customer + site; such a procedure is outside the scope of this document.) See + Section 10 ("Security Considerations") for additional discussion of + this issue. + + Whenever a VPN is provisioned, there is a risk that errors in + provisioning may result in an unintended cross-connection of VPNs. + This would create a security problem for the customers. When + provisioning an extranet, attention to detail is particularly + important, as an extranet intentionally cross-connects VPNs. Care + must always be taken to ensure that the cross-connections are + according to the policy agreed upon by the SP and its customers. + + + + + +Rekhter, et al. Standards Track [Page 11] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + Additionally, if one is connecting two VPNs that have overlapping + address spaces, one has to be sure that the inter-VPN traffic neither + originates from nor is destined to the part of the address space that + is in the overlap. Other problems that can arise due to overlapping + address spaces are discussed in Section 2. + +2. Extranets and Overlapping Address Spaces + + As specified in [RFC4364], the address space of one VPN may overlap + with the address space of another. A given address may be + "ambiguous" in that it denotes one system within VPN-A and a + different system within VPN-B. In the notation of Section 1.1, + if an address C-S is ambiguous between VPN-A and VPN-B, then + Host(C-S,A) != Host(C-S,B). However, any given address C-S MUST be + unambiguous (i.e., MUST denote a single system) in the context of a + given VPN. + + When a set of VRFs belonging to different VPNs are combined into an + extranet, it is no longer sufficient for an address to be unambiguous + only within the context of a single VPN: + + 1. Suppose that C-S is the address of a given extranet C-source + contained in VPN-A. Now consider the set of VPNs + {VPN-B, VPN-C, ...} containing extranet C-receivers that are + allowed by policy to receive extranet C-flows from VPN-A's C-S. + The address C-S MUST be unambiguous among this entire set of VPNs + {VPN-A, VPN-B, VPN-C, ...}; i.e., Host(C-S,A) == Host(C-S,B) == + Host(C-S,C). + + The implication is that C-S in VPN-A is not necessarily an + extranet C-source for all VPNs that contain extranet C-receivers; + policy MUST be used to ensure that C-S is an extranet C-source + for a given VPN, say VPN-B, only if C-S is unambiguous between + VPN-A and VPN-B. + + 2. If a given VRF contains extranet C-receivers for a given extranet + C-source, then the address of this C-source MUST be unambiguous + among all the extranet C-sources for which there are C-receivers + in the VRF. This is true whether or not C-sources are in VRFs + that belong to the same VPN or different VPNs. + + The implication is that if C-S in VRF-X is ambiguous with C-S in + VRF-Y, then there MUST NOT be any VRF, say VRF-Z, containing + C-receivers that are allowed by policy to receive extranet + C-flows from both C-S in VRF-X and C-S in VRF-Y. + + + + + + +Rekhter, et al. Standards Track [Page 12] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + Note: A VPN customer may be using anycast addresses. An anycast + address is intentionally ambiguous, as it denotes a set of systems + rather than a single system. In this document, we will consider an + anycast address to be unambiguous in a given context as long as it + denotes the same set of systems whenever it occurs in that context. + + A multicast C-group address, say C-G, may also be ambiguous in that + it may be used for one multicast group in VPN-A and for an entirely + different multicast group in VPN-B. If a set of MVPNs are combined + into an extranet and C-G is an extranet C-group, it is necessary to + ensure that C-G is unambiguous among the entire set of VPNs whose + VRFs contain extranet C-sources, C-RPs, and/or extranet C-receivers + for that C-group. This may require, as part of the provisioning + process, customer/SP communication that is outside the scope of this + document. + + Subject to these restrictions, the SP has complete control over the + distribution of routes in an MVPN. This control is exerted by + provisioning either (1) the export RTs on the VRFs that originate the + routes (i.e., the VRFs that contain the extranet C-sources) or + (2) the import RTs on the VRFs that receive the routes (i.e., the + VRFs that contain the extranet C-receivers), or both. + + Some of the rules and restrictions on provisioning the RTs are + applicable to all extranets; these are specified in Section 4. + Sections 6 and 7 list additional rules and restrictions that are + applicable only to particular extranet scenarios. + + Even if all the RTs are provisioned according to the above rules and + restrictions, it is still possible for a single P-tunnel to contain + multicast data packets whose source and/or group addresses are + ambiguous in the context of the set of PEs that receive data from the + P-tunnel. That is, the above rules and restrictions are necessary, + but not sufficient, to prevent address ambiguity from causing + misdelivery of traffic. To prevent such misdelivery, additional + procedures or policies must be used. + + Sections 2.1 and 2.2 describe scenarios in which a given P-tunnel may + carry data packets with ambiguous addresses. The additional + procedures and policies needed to prevent misdelivery of data in + those scenarios are outlined in Section 2.3. (The detailed + procedures described in Sections 6 and 7 incorporate the + considerations discussed in Section 2.3.) + + + + + + + + +Rekhter, et al. Standards Track [Page 13] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +2.1. Ambiguity: P-Tunnel with Extranet/Non-extranet Flows + + In the following, we will use the notation "VRF A-n" to mean "VRF n + of VPN-A". + + If VPN-A and VPN-B have overlapping address spaces and are part of + the same extranet, then the following problem may exist, as + illustrated in Figure 1. + + C-S2(A) C-S1 Join(C-S2(A),G) + \ / / + \ / / + +-------+---+ P1: (C-S1,G), (C-S2(A),G) +---+--------+ + |VRF A-1| |---------------------------------| |VRF A-2 | + +-------+PE1| |PE2+--------+ + |VRF B-1| |---------------------------------| |VRF B-2 | + +-------+---+ P2: (C-S2(B),G) +---+--------+ + / / \ + / / \ + C-S2(B) Join(C-S2(B),G) Join(C-S1,G) + + Figure 1: Ambiguity of Extranet and Non-extranet Source Address + + Suppose that: + + o C-G is an SSM C-group used in VPN-A and VPN-B. + + o VRF A-1, on PE1, contains an extranet C-source, with IP address + C-S1, that is allowed to have receivers in VPN-B. VRF A-1 thus + exports to VPN-B a UMH-eligible route matching C-S1. + + o In addition, VRF A-1 contains a non-extranet C-source with IP + address C-S2. VRF A-1 exports a UMH-eligible route matching C-S2 + to other VPN-A VRFs but NOT to VPN-B. + + o VRF B-1, also on PE1, contains a non-extranet C-source with IP + address C-S2. A UMH-eligible route matching C-S2 is thus exported + from VRF B-1 to other VRFs in VPN-B. + + o Host(C-S2,A) != Host(C-S2,B). That is, C-S2 is an ambiguous + address in any extranet that contains both VPN-A VRFs and VPN-B + VRFs. + + o VRF B-2, on some other PE, say PE2, requests the multicast flow + (C-S1,C-G). In the context of VRF B-2, C-S1 matches the route + exported from VRF A-1. Thus, B-2's request to receive the + (C-S1,C-G) flow is transmitted to VRF A-1. + + + + +Rekhter, et al. Standards Track [Page 14] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + o VRF A-1 responds to VRF B-2's request for (C-S1,C-G) traffic by + transmitting that traffic on P-tunnel P1. + + o VRF B-2 joins P-tunnel P1 in order to receive the (C-S1,C-G) + traffic. + + o VRF A-2, on PE2, requests the (non-extranet) multicast flow + (C-S2,C-G). In the context of VRF A-2, C-S2 matches the route + exported from VRF A-1. Thus, A-2's request to receive the + (C-S2,C-G) traffic is transmitted to VRF A-1. + + o VRF A-1 responds to VRF A-2's request for (C-S2,C-G) traffic by + transmitting that traffic on P-tunnel P1. + + o VRF A-2 joins P-tunnel P1 in order to receive the (C-S2,C-G) + traffic. + + o VRF B-2 requests the (non-extranet) multicast flow (C-S2,C-G). In + the context of VRF B-2, C-S2 matches the route exported from VRF + B-1. Thus, B-2's request to receive the (C-S2,C-G) flow is + transmitted to VRF B-1. + + o VRF B-1 responds to VRF B-2's request for (C-S2,C-G) traffic by + transmitting that traffic on P-tunnel P2. + + o VRF B-2 joins P-tunnel P2. + + Since VRF B-2 has joined P-tunnel P1 and P-tunnel P2, it will receive + (C-S2,C-G) traffic on both P-tunnels. The (C-S2,C-G) traffic that + VRF B-2 needs to receive is traveling on P-tunnel P2; this (C-S2,C-G) + traffic must be forwarded by B-2 to any attached customer sites that + have C-receivers for it. But B-2 MUST discard the (C-S2,C-G) traffic + that it receives on P1, as this is not the traffic that it has + requested. If the (C-S2,C-G) traffic arriving on P1 were forwarded + to B-2's customer sites, the C-receivers would not be able to + distinguish the two flows, and the result would be a corrupted data + stream. + + Note that the procedures of Section 9.1.1 of [RFC6513] ("Discarding + Packets from Wrong PE") will not cause VRF B-2 to discard the + (C-S2,C-G) traffic that arrives on tunnel P1, because P1 and P2 have + the same upstream PE. + + Therefore, it is necessary to EITHER (1) prevent the above scenario + from occurring OR (2) ensure that multicast data packets will be + discarded if they arrive on the wrong P-tunnel (even if they arrive + from the expected PE). See Section 2.3 for further discussion of + this issue. + + + +Rekhter, et al. Standards Track [Page 15] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +2.2. Ambiguity: P-Tunnel with Multiple Extranet Flows + + Figure 2 illustrates another example of how overlapping address + spaces may cause a problem. + + C-S2(A2D) C-S1(A2C) Join(C-S2(A2D),G) + \ / / + \ / / + +-------+---+ P1: (C-S1(A2C),G), (C-S2(A2D),G)+---+--------+ + |VRF A-1| |---------------------------------| |VRF D-1 | + +-------+PE1| |PE2+--------+ + |VRF B-1| |---------------------------------| |VRF C-1 | + +-------+---+ P2: (C-S2(B2C),G) +---+--------+ + / / \ + / / \ + C-S2(B2C) / \ + Join Join + (C-S2(B2C),G) (C-S1(A2C),G) + + Figure 2: Ambiguity of Extranet Source Addresses + + Suppose that: + + o C-G is an SSM C-group address that is used in VPN-A, VPN-B, VPN-C, + and VPN-D. + + o VRF A-1, on PE1, contains an extranet C-source, with IP address + C-S1, that is allowed by policy to have C-receivers in VPN-C (but + not in VPN-D). VRF A-1 thus exports a UMH-eligible route matching + C-S1 to VPN-C. + + o In addition, VRF A-1 contains an extranet C-source, with IP + address C-S2, that is allowed by policy to have C-receivers in + VPN-D (but not in VPN-C). VRF A-1 thus exports a UMH-eligible + route matching C-S2 to VPN-D. + + o VRF B-1, also on PE1, contains an extranet C-source, with IP + address C-S2, that is allowed by policy to have C-receivers in + VPN-C (but not in VPN-D). VRF B-1 thus exports a UMH-eligible + route matching C-S2 to VPN-C. + + o Host(C-S2,A) != Host(C-S2,B). That is, C-S2 is an ambiguous + address in any extranet that contains both VPN-A VRFs and + VPN-B VRFs. + + + + + + + +Rekhter, et al. Standards Track [Page 16] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + o VRF C-1, on some other PE, say PE2, requests the extranet + multicast flow (C-S1,C-G). In the context of VRF C-1, C-S1 + matches the route exported from VRF A-1. Thus, C-1's request to + receive the (C-S1,C-G) flow is transmitted to VRF A-1. + + o VRF A-1 responds to VRF C-1's request for (C-S1,C-G) traffic by + transmitting that traffic on P-tunnel P1. + + o VRF C-1 joins P-tunnel P1 in order to receive the (C-S1,C-G) + traffic. + + o VRF C-1 requests the extranet multicast flow (C-S2,C-G). In the + context of VRF C-1, C-S2 matches the route exported from VRF B-1. + Thus, C-1's request to receive the (C-S2,C-G) flow is transmitted + to VRF B-1. + + o VRF B-1 responds by transmitting its (C-S2,C-G) traffic on + P-tunnel P2. + + o VRF C-1 joins P-tunnel P2 in order to receive the (C-S2,C-G) + traffic. + + o VRF D-1, on PE2, requests the extranet multicast flow (C-S2,C-G). + In the context of VRF D-1, C-S2 matches the route exported from + VRF A-1. Thus, D-1's request to receive the (C-S2,C-G) flow is + transmitted to VRF A-1. + + o VRF A-1 responds by transmitting its (C-S2,C-G) traffic on + P-tunnel P1. + + o VRF D-1 joins P-tunnel P1 in order to receive the (C-S2,C-G) + traffic. + + In this example, VRF A-1 has chosen to use the same P-tunnel, P1, to + carry both its (C-S2,C-G) traffic and the (C-S1,C-G) traffic. VRF + C-1 has joined tunnel P1 in order to receive the (C-S1,C-G) traffic + from VRF A-1, which means that VRF C-1 will also receive the unwanted + (C-S2,C-G) traffic from P1. VRF C-1 is also expecting (C-S2,C-G) + traffic from VRF B-1; this traffic will be received from P2. Thus, + VRF C-1 is receiving (C-S2,C-G) traffic on both tunnels, and both + C-flows arrive from the expected PE, PE1. + + Therefore, it is necessary to EITHER (1) prevent the above scenario + from occurring OR (2) ensure that VRF C-1 discards any (C-S,C-G) + traffic that arrives from the wrong P-tunnel. See Section 2.3 for + further discussion of this issue. + + + + + +Rekhter, et al. Standards Track [Page 17] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + Note that the ambiguity described in this section (Section 2.2) would + not occur if C-G were an (ASM) extranet C-group. In that case, the + scenario would violate the rule, given previously in Section 2, + requiring that all sources sending to a particular ASM extranet + C-group must have addresses that are unambiguous over all the MVPNs + receiving traffic for that C-group. + +2.3. Preventing Misdelivery in These Scenarios + + There are two ways to prevent the scenarios discussed in Sections 2.1 + and 2.2 from resulting in misdelivery of data; these techniques are + discussed in Sections 2.3.1 and 2.3.2, respectively. + +2.3.1. Do Not Deliver Packets from the Wrong P-tunnel + + Consider a particular C-flow that has receivers in a particular VRF. + Sections 6 and 7 describe a set of procedures that enable an egress + PE to determine the "expected P-tunnel" for that C-flow in the + context of that VRF. If a PE receives packets of the C-flow (as + determined by the IP source and/or destination address of the + packet), it checks to see if the packet was received on the expected + P-tunnel for that VRF. If so, the packet is delivered to the VRF + (and thus to the C-flow's receivers in that VRF). If not, the packet + is not delivered to the VRF. + + Note that at a given egress PE, the wrong P-tunnel for one VRF may be + the correct P-tunnel for another. + + These procedures, if applied at every PE that joins a given P-tunnel, + are sufficient to prevent misdelivery of traffic in the scenarios + discussed in Sections 2.1 and 2.2. + + IF these procedures cannot be applied by every PE that is attached to + a given extranet, then the policies of Section 2.3.2 MUST be applied + at every VRF containing C-sources for that extranet. + + In some cases, however, it may be safe to deliver packets that arrive + from other than the expected P-tunnel. Suppose that it is known that + every packet gets transmitted on only a single P-tunnel. (This will + be the case if the "single PMSI per C-flow" transmission model, + discussed in Section 3.1, is being used.) Suppose also that it is + known that T1 and T2 carry only packets that arrived at the same + ingress PE, over one or more VRF interfaces that are associated with + the same VRF (i.e., that there is a particular VRF that is the + ingress VRF for ALL the packets carried by T1 or T2). In this case, + if T1 is the expected P-tunnel for a given (C-S,C-G), it is NOT + necessary to discard (S,G) packets that arrive over T2. + + + + +Rekhter, et al. Standards Track [Page 18] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + It is not always possible to determine whether two P-tunnels are + carrying packets from the same ingress VRF. However, in some cases, + this can be determined by examination of the A-D routes in which the + tunnels have been advertised. + + Consider the following example: + + o Tunnel T1 is a Point-to-Multipoint (P2MP) multipoint Label + Distribution Protocol (mLDP) or RSVP-TE P-tunnel advertised in an + Intra-AS I-PMSI A-D route (call it "R1"). + + o Tunnel T2 is a P2MP mLDP or RSVP-TE P-tunnel advertised in an + S-PMSI A-D route (call it "R2"). + + o The respective NLRIs of R1 and R2 contain the same RD value. + + o The MPLS Label field of R1's PTA is zero, and the MPLS label value + of R2's PTA is zero. + + In this example, it can be concluded that T1 and T2 are carrying + packets from the same ingress VRF. Thus, if T1 is the expected + P-tunnel for a (C-S,C-G) flow, (S,G) packets from T2 can be safely + delivered to the egress VRF; they do not need to be discarded. + Similarly, if T2 is the expected P-tunnel for a (C-S,C-G) flow, (S,G) + packets from T1 can be safely delivered to the egress VRF. + + Another example is the following: + + o Tunnel T3 is a P2MP mLDP or RSVP-TE P-tunnel advertised in a + (C-*,C-*) S-PMSI A-D route (call it "R3"). + + o Tunnel T4 is a P2MP mLDP or RSVP-TE P-tunnel advertised in a + (C-S,C-G) S-PMSI A-D route (call it "R4"). + + o The respective NLRIs of R3 and R4 contain the same RD value. + + o The MPLS Label field of R3's PTA is zero, and the MPLS label value + of R4's PTA is zero. + + In this example, it can be concluded that T3 and T4 are carrying + packets from the same ingress VRF. Thus, if T3 is the expected + P-tunnel for a (C-S,C-G) flow, (S,G) packets from T4 can be safely + delivered to the egress VRF; they do not need to be discarded. + Similarly, if T4 is the expected P-tunnel for a (C-S,C-G) flow, + (S,G) packets from T3 can be safely delivered to the egress VRF. + + + + + + +Rekhter, et al. Standards Track [Page 19] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + When Ingress Replication (IR) P-tunnels are being used, please see + [MVPN-IR], especially Section 7 ("The PTA's 'MPLS Label' Field") for + a discussion of how to determine when packets from other than the + expected P-tunnel must be discarded. + +2.3.2. Policies to Prevent Ambiguity on a P-Tunnel + + For P-tunnels that are advertised in S-PMSI A-D routes whose NLRI + contains (C-S,C-G) or (C-S,C-*), the ambiguities described in + Sections 2.1 and 2.2 can be prevented by provisioning a policy that + assigns, to such P-tunnels, only flows from the same C-source. + + However, it is not always possible to determine, through inspection + of the control messages, whether this policy has been deployed. For + instance, suppose that (1) a given VRF has imported a set of S-PMSI + A-D routes, (2) each route in the set has bound only a single + (C-S1,C-G1) to a single P-tunnel, and (3) each route in the set + identifies a different P-tunnel in its PTA than the P-tunnel + identified by the PTA of any other route in the set. One cannot + infer from this that there is no ambiguity, as the same P-tunnel may + also have been advertised in an S-PMSI A-D route that is not imported + by the given VRF, and that S-PMSI A-D route may have bound + (C-S2,C-G2) to the P-tunnel, where C-S1 != C-S2. + + Therefore, in order to determine that a given P-tunnel (advertised in + a (C-S,C-G) or (C-S,C-*) S-PMSI A-D route) carries only C-flows from + a single C-source, a PE must have a priori knowledge (through + provisioning) that this policy has been deployed. In the remainder + of this document, we will refer to this policy as the "single + C-source per (C-S,C-G) or (C-S,C-*) P-tunnel" policy. Note that this + policy is only applicable to P-tunnels that are advertised only in + (C-S,C-G) or (C-S,C-*) S-PMSI A-D routes. + + Of course, if a P-tunnel is advertised in (a) an I-PMSI A-D route, + (b) an S-PMSI A-D route whose NLRI contains (C-*,C-*), or (c) an + S-PMSI A-D route whose NLRI contains (C-*,C-G), then it is always + possible for the P-tunnel to contain traffic from multiple C-sources; + there is no policy that can prevent that. + + However, if a P-tunnel advertised in a (C-*,C-G) S-PMSI A-D route + contains only traffic addressed to a single C-G, the address + uniqueness rules of Section 2 prevent the C-source addresses from + being ambiguous; the set of C-sources transmitting to a particular + extranet C-group address must be unambiguous over the set of MVPNs + that have receivers for that C-group. So, for P-tunnels that are + advertised in (C-*,C-G) S-PMSI A-D routes, the ambiguities described + in Sections 2.1 and 2.2 can be prevented by provisioning a policy + + + + +Rekhter, et al. Standards Track [Page 20] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + that assigns to such P-tunnels only flows to the same extranet + C-group. We will refer to this policy as the "single C-group per + (C-*,C-G) P-tunnel" policy. + + These considerations can be summarized as follows. IF the procedures + referenced in Section 2.3.1 cannot be applied, then the PEs MUST be + provisioned so that all of the following conditions hold true for the + VRFs that contain extranet C-sources: + + o the "single C-source per (C-S,C-G) or (C-S,C-*) P-tunnel" policy + is provisioned, + + o either no (C-*,C-G) S-PMSI A-D routes are advertised or the + "single C-group per (C-*,C-G) P-tunnel" policy is provisioned, + + o no P-tunnels are advertised in I-PMSI A-D routes, and + + o no (C-*,C-*) S-PMSI A-D routes are advertised. + + Section 3 of this document describes a procedure known as "extranet + separation". When extranet separation is used, the ambiguity + described in Section 2.1 is prevented. However, the ambiguity + described in Section 2.2 is not prevented by extranet separation. + Therefore, the use of extranet separation is not a sufficient + condition for avoiding the use of the procedures discussed in + Section 2.3.1. Extranet separation is, however, implied by the + policies discussed in this section (Section 2.3.2). + +3. Extranet Transmission Models + + This document specifies several "extranet transmission" models. A + given VRF containing extranet C-sources or C-receivers MUST use only + one of these models. Further, if VRF-S contains extranet C-sources, + VRF-R contains extranet C-receivers, and it is allowed by policy for + an extranet C-receiver in VRF-R to receive a C-flow from an extranet + C-source in VRF-S, then VRF-S and VRF-R MUST use the same extranet + transmission model. The model used by a given VRF is determined by + provisioning. + +3.1. Transmitting an Extranet C-Flow on a Single PMSI + + In one extranet transmission model, which we call the "transmitting + an extranet C-flow on a single PMSI" model or, more simply, the + "single PMSI per C-flow" model, a PE transmitting a packet of an + extranet C-flow transmits it on only a single PMSI. If the PMSI is + instantiated by a multicast P-tunnel, this means that the PE + transmits the packet on a single P-tunnel. Of course, if the PE is a + replication point for that multicast P-tunnel, the packet is + + + +Rekhter, et al. Standards Track [Page 21] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + transmitted more than once by the PE. Similarly, if the PMSI is + instantiated by IR, each packet may be transmitted multiple times. + It is still the case, though, that the packet is transmitted only on + one PMSI. + + This document provides procedures for supporting this transmission + model using either BGP or PIM as the PE-PE C-multicast control + protocol. + + There are two variants of this transmission model: "without extranet + separation" and "with extranet separation". + +3.1.1. Without Extranet Separation + + In this variant, multicast data traffic from extranet C-sources and + from non-extranet C-sources may be carried in the same P-tunnel. + + This document provides procedures for supporting this variant using + either BGP or PIM as the PE-PE C-multicast control protocol. + +3.1.2. With Extranet Separation + + In this variant, multicast data traffic from extranet C-sources and + from non-extranet C-sources are never carried in the same P-tunnel. + Under certain circumstances, this can reduce the amount of multicast + data traffic that is delivered unnecessarily to certain PE routers. + It also eliminates the ambiguity discussed in Section 2.1. + + By definition, when extranet separation is used, the following rule + MUST be applied: + + Traffic from extranet C-sources MUST NOT be carried in the same + P-tunnel as traffic from non-extranet C-sources. + + This rule does not impact those VRFs that contain only non-extranet + C-sources, nor does it impact those VRFs that contain only extranet + C-sources. However, if a particular VRF contains both kinds of + C-sources, it will need to advertise some P-tunnels that are used for + carrying only extranet C-flows and some that are used only for + carrying non-extranet C-flows. + + This document provides procedures for supporting extranet separation + when BGP is used as the PE-PE C-multicast control protocol. Support + for extranet separation using PIM as the PE-PE C-multicast control + protocol is outside the scope of this document. + + + + + + +Rekhter, et al. Standards Track [Page 22] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +3.2. Transmitting an Extranet C-Flow over Multiple PMSIs + + The second extranet transmission model is called the "transmitting an + extranet C-flow over multiple PMSIs" model or, more simply, the + "multiple PMSIs per C-flow" model. In this model, a PE may transmit + the packets of an extranet C-flow on several different PMSIs. + + Support for extranet separation with this model is outside the scope + of this document. + + This document provides procedures for supporting this transmission + model when PIM is used as the PE-PE C-multicast control protocol. + Support for this transmission model when BGP is used as the PE-PE + C-multicast control protocol is outside the scope of this document. + +4. Distribution of Routes That Match C-S/C-RP Addresses + +4.1. UMH-Eligible Routes + + As described in Section 5.1 of [RFC6513], in order for a C-flow + (C-S,C-G) to be carried across the SP backbone, a VRF that has + multicast receivers for that C-flow must import a route that matches + C-S, and this route must be "eligible for UMH selection". In this + document, we will refer to these routes as "UMH-eligible extranet + C-source routes". + + The UMH-eligible extranet C-source routes do not necessarily have to + be unicast routes; they MAY be SAFI 129 routes (see Section 5.1.1 of + [RFC6513]). For example, suppose that one wants a VPN-R C-receiver + to be able to receive extranet C-flows from C-sources in VPN-S but + does not want any VPN-R system to be able to send unicast traffic to + those C-sources. One can achieve this by using SAFI 129 routes as + the UMH-eligible routes exported from VPN-S and imported by VPN-R. + Since SAFI 129 routes are used only for UMH determination and not for + unicast routing, this allows the multicast traffic to be forwarded + properly but does not create unicast routes to the C-sources. + + If a customer is using PIM-SM in the ASM model and one or more + customer sites have C-receivers that are allowed by policy to join a + (C-*,C-G) tree, where C-G is an extranet C-group, then any VRF with + C-receivers for that group MUST import a UMH-eligible route that + matches C-RP, where C-RP is the Rendezvous Point (RP) address + for C-G. + + The UMH-eligible extranet C-source and C-RP routes do not have to be + "host routes". That is, they can be routes whose IPv4 address + prefixes are not 32 bits in length or whose IPv6 address prefixes are + not 128 bits in length. So, it is possible for a UMH-eligible + + + +Rekhter, et al. Standards Track [Page 23] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + extranet C-source route to match the address of an extranet C-source + and to also match the address of a non-extranet C-source. However, + if such a route is exported from a VPN-S VRF and imported by a VPN-R + VRF, VPN-R receivers will be able to receive C-flows from any + non-extranet C-sources whose addresses match that route. To prevent + this, the VPN-S VRF SHOULD be provisioned such that it will NOT + export a UMH-eligible route that matches (in the context of the VPN-R + VRF) both extranet C-sources and non-extranet C-sources. Failure to + follow this rule may result in a VPN security violation. (See + Section 10.) + + In general, one does not want ALL the routes from the VPN-S VRFs to + be exported to all the VPN-R VRFs, as only a subset of the routes in + the VPN-S VRFs will be UMH-eligible extranet C-source routes. Route + distribution is, as is always the case for a BGP/MPLS IP VPN + [RFC4364], controlled by Route Targets (RTs). A variety of route + distribution policies can be created by appropriately provisioning + the import and export RTs of the various VRFs. + + For example, the VPN-S VRFs that contain extranet C-sources could be + configured to apply an export RT whose value is "RT-A-extranet" to + the routes that match the extranet C-sources. The VPN-R VRFs that + contain extranet C-receivers allowed to receive extranet C-flows + from VPN-S extranet C-sources could then be configured with + "RT-A-extranet" as an import RT. + + Arbitrarily complex policies can be created by suitable manipulation + of the import and export RTs. + +4.1.1. Extranet Separation + + If extranet separation is being used and a given VRF is exporting + UMH-eligible routes for both extranet C-sources and non-extranet + C-sources, then the VRF MUST be configured not only with its + default RD but also with an extranet RD. The exported UMH-eligible + routes MUST contain the extranet RD in their NLRIs. + + + + + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 24] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +4.2. Distribution of Unicast Routes Matching C-RPs and DRs + + Consider a C-source, C-S, that may transmit to a particular extranet + C-group, C-G. + + In order to follow the procedures of [RFC7761], + + o The "first-hop designated router (DR)" for C-S needs to be able to + unicast PIM Register messages to a C-RP that services C-G. + + o The C-RPs servicing C-G need to be able to unicast PIM + Register-Stop messages to the DR for C-S. + + It follows that if a VRF contains C-S but does not contain a C-RP for + C-G, then the VRF MUST import a unicast route matching a C-RP for + C-G. Note that the unicast route matching the C-RP is needed whether + or not the VRF has also imported a SAFI 129 route matching the C-RP. + (If the VRF also contains receivers for C-G and UMH determination is + being done using SAFI 129 routes, both a unicast route and a SAFI 129 + matching C-RP route are needed.) + + Similarly, if a VRF contains a C-RP for C-G but does not contain C-S, + the VRF MUST import a unicast route matching the DR for C-S. Note + that the unicast route matching the DR for C-S is needed even if UMH + determination is being done using SAFI 129 routes; in that case, if + the VRF also contains receivers for C-G, it needs to import a + SAFI 129 route matching C-S and a unicast route matching the DR + for C-S. + + If, for a particular extranet C-group, C-G, the customer is using + "anycast-RP" [RFC3446] [RFC4610] or the Multicast Source Discovery + Protocol (MSDP) [RFC3618], then all the C-RPs serving C-G need to + send unicast messages to each other. Thus, any VRF that contains a + C-RP for C-G needs to import unicast routes matching ALL the other + C-RPs that serve C-G. + + The need to distribute these unicast routes is usually not a problem + as long as all the C-sources and C-RPs for C-G are in the same MVPN. + If, however, the C-sources are not all in the same MVPN, great care + must be taken to ensure that the unicast routes mentioned above are + properly distributed. + + There may be scenarios in which all the C-sources for C-G are in the + same MVPN, but there are receivers in different VPNs, and some or all + of the VPNs with receivers have their own C-RPs for C-G. In this + case, care must be taken to ensure that the C-RPs can all unicast to + each other. + + + + +Rekhter, et al. Standards Track [Page 25] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +4.3. Route Targets and Ambiguous UMH-Eligible Routes + + This section imposes a constraint on the way RTs are assigned to + (a) UMH-eligible routes and (b) the BGP A-D routes that advertise + P-tunnels (i.e., BGP A-D routes that contain a PTA). The constraint + specified here applies to any extranet for which the ambiguity + described in Section 2.2 is possible. (The conditions under which + such ambiguity is possible are also described in Section 2.2.) + + We want to ensure that, in any given VRF, the UMH-eligible route + matching a given extranet C-source has an RT in common with every BGP + A-D route that advertises a P-tunnel that may be used to carry + extranet multicast traffic from that C-source. We also want to + ensure that the UMH-eligible route matching a given extranet C-source + does not have any RT in common with any BGP A-D route that advertises + a P-tunnel that may be used to carry any multicast traffic from a + different C-source that has the same IP address. This enables us to + determine whether traffic that appears to be from the given C-source + is really arriving on the wrong P-tunnel and hence is really from a + different C-source with the same IP address. + + Suppose that an IP address C-S is used in VPN-A as the address of one + system and used in VPN-B as the address of a different system. In + this case, one or more VPN-A VRFs may export a VPN-IP route whose + NLRI is , and one or more VPN-B VRFs may export a VPN-IP route + whose NLRI is , where RD1 != RD2. Consider two routes -- R1 + and R2 -- for which the following conditions all hold: + + o R1 and R2 are UMH-eligible extranet C-source or C-RP routes, or + are unicast routes matching a C-RP. + + o R1 is exported from a VRF of VPN-A, while R2 is exported from a + VRF of a different VPN, say VPN-B. + + o R1's NLRI specifies IP address prefix S/n. + + o R2's NLRI specifies IP address prefix S/m. + + o m >= n (S/m is either the same as or more specific than S/n). + + o There is some host address H such that: + + * H denotes a different system in VPN-A than in VPN-B, and + + * H/m == S/m (so either S/m or S/n might be a longest match for H + in some VRF). + + + + + +Rekhter, et al. Standards Track [Page 26] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + We impose the following constraint: RTs MUST be assigned in such a + way that R1 and R2 do not have any RT in common. + + (This constraint is not as onerous as it may seem. Typically, R1 and + R2 would not have an RT in common, as that might result in their + being imported into the same VRF, making the address H ambiguous in + that VRF.) + + Sections 6 and 7 specify procedures for determining if a received + C-flow has been received over the expected P-tunnel. Those + procedures will not work if this constraint is violated. (The + constraint described in this section is necessary, but not + sufficient, for the procedures of Sections 6 and 7 to work; + additional constraints that cover the assignment of RTs to BGP A-D + routes are given in subsequent sections.) + +4.4. Dynamically Marking Extranet Routes + +4.4.1. The Extranet Source Extended Community + + Sections 4.1, 4.2, and 4.3 place specific requirements on the way in + which certain VPN-IP routes are distributed. In order to ensure that + these requirements are met, a VPN customer must tell its SP which + routes are the matching routes for extranet C-sources and C-RPs. + This may be done as part of the provisioning process. Note that this + does not necessarily require customer/provider interaction every time + the customer adds a new extranet C-source or C-RP, but only when the + IP address of the new C-source or C-RP does not match an existing + route that is already being distributed as a VPN-IP extranet route. + Nevertheless, it seems worthwhile to support an OPTIONAL mechanism + that allows a customer to dynamically mark certain routes as being + extranet routes. + + To facilitate this, we define a new Transitive Opaque Extended + Community (see [RFC4360], [RFC7153], and Section 9 of this document): + the Extranet Source Extended Community. When a Customer Edge (CE) + router advertises (via BGP) a route to a PE router and the AFI/SAFI + of the route is 1/1, 1/2, 1/4, 2/1, 2/2, or 2/4, the Extranet Source + Extended Community MAY be attached to the route. The value field of + the Extended Community MUST be set to zero. By placing this Extended + Community on a particular route, a CE router indicates to a PE router + that the procedures of Sections 4.1, 4.2, and 4.3 are to be applied + to that route. That is, the CE router may use this Extended + Community to indicate to the PE router that a particular route is to + be treated as a route that matches the address of an extranet source + and is to be exported accordingly to other VPNs. A PE router that + interprets this Extended Community MUST ignore the contents of the + value field. + + + +Rekhter, et al. Standards Track [Page 27] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + Whether a CE router uses the Extranet Source Extended Community is + determined by the configuration of the CE router. If used, the set + of routes to which the Extended Community is attached is also + determined by configuration of the CE. Note that a particular PE + router may or may not support the use of the Extranet Source Extended + Community by a particular CE router; this is determined by the + service agreement between the SP and its customer. + + If a CE is advertising SAFI 2 routes to the PE as the UMH-eligible + extranet C-source and C-RP routes and the CE is using the Extranet + Source Extended Community, it is important that the CE attach that + Extended Community to the SAFI 2 routes, rather than just to the + corresponding SAFI 1 routes. Otherwise, extranet receivers may not + be able to join the (C-S,C-G) or (C-*,C-G) multicast trees. + + However, if the C-sources and the C-RPs for a given extranet C-group + are not all in the same VPN, the Extended Community would also have + to be attached to the SAFI 1 routes that match the C-RP addresses and + to the SAFI 1 routes that match the addresses of the first-hop + designated routers for all the C-sources. Otherwise, the first-hop + routers might not be able to send PIM Register messages to the C-RPs, + and the C-RPs might not be able to send PIM Register-Stop messages to + the first-hop routers. + + While this Extended Community allows a customer to inform the SP + dynamically that certain routes are "extranet routes", it does not + allow a customer to control the set of RTs that the route will carry + when it is redistributed as a VPN-IP route. Thus, it is only useful + when all the extranet routes from a given VRF are exported with + exactly the same set of RTs. (cf. Section 4.3.1 of [RFC4364], which + does provide a mechanism that, if properly supported by the SP, + allows the customer to determine the set of RTs carried by a VPN-IP + route.) A CE SHOULD NOT attach the Extranet Source Extended + Community to any route for which it uses another method of specifying + the RTs to be carried by that route. A CE SHOULD NOT attach the + Extranet Source Extended Community to a route unless all the extranet + routes from the CE's VPN are intended to carry the same set of RTs. + + A PE SHOULD ignore the Extranet Source Extended Community if it + appears on a route that the CE should not have put it on. A PE that + ignores the Extranet Source Extended Community SHOULD NOT follow the + procedures of Section 4.4.2. + + Note that misconfiguration on the CE router can result in the + Extranet Source Extended Community being mistakenly attached to a + route that is not intended to be exported as an extranet route. This + could result in a VPN security violation. + + + + +Rekhter, et al. Standards Track [Page 28] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +4.4.2. Distribution of Extranet Source Extended Community + + Suppose that a PE receives from a CE a route (call it "R") with the + Extranet Source Extended Community. The PE must determine (via the + considerations discussed in Section 4.4.1) whether it should ignore + that Extended Community on route R; if it should ignore the Extended + Community, the procedures described in this section are not followed. + + Otherwise, when the PE originates a VPN-IP route corresponding to + route R, the PE MUST attach this Extended Community to that route. + + A Route Reflector MUST NOT add or remove the Extranet Source Extended + Community from the VPN-IP routes reflected by the Route Reflector, + including the case where VPN-IP routes received via Internal BGP + (IBGP) are reflected to External BGP (EBGP) peers (inter-AS + option (c); see Section 10 of [RFC4364]). The value of the Extended + Community MUST NOT be changed by the Route Reflector. + + When re-advertising VPN-IP routes, Autonomous System Border Routers + (ASBRs) MUST NOT add/remove the Extranet Source Extended Community + from these routes. This includes inter-AS options (b) and (c) (see + Section 10 of [RFC4364]). The value of the Extended Community + MUST NOT be changed by the ASBRs. + + When a PE advertises (via BGP) IP routes to a CE, these routes + MUST NOT carry the Extranet Source Extended Community unless the + PE-CE connection is actually an inter-AS option (a) connection (see + Section 10 of [RFC4364]). When the PE-CE connection is not an + inter-AS option (a) connection, a CE that receives an IP route with + the Extranet Source Extended Community MUST remove it from the route + before re-advertising the route. + + The rules for attaching the Extranet Source Extended Community to a + VPN-IP route, and the rules for propagating that Extended Community, + are needed in order to support the scenario in which a VPN contains + an option (a) interconnect (see Section 10 of [RFC4364]). At the + option (a) interconnect, the VPN-IP route gets translated back to an + IP route, and the RTs are stripped off before the IP route is + propagated. If the Extranet Source Extended Community has also been + stripped off, there is no way for the router at the other end of the + option (a) interconnect to know that the route represents an extranet + source. Thus, the technique of using the Extranet Source Extended + Community to dynamically signal that a particular route represents an + extranet source will not work correctly across an option (a) + interconnect unless the rules in this section are followed. + + + + + + +Rekhter, et al. Standards Track [Page 29] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +4.5. The Extranet Separation Extended Community + + We define a new Transitive Opaque Extended Community: the Extranet + Separation Extended Community (see [RFC4360], [RFC7153], and + Section 9 of this document). This Extended Community is used only + when extranet separation is being used. Its value field MUST be set + to zero upon origination, MUST be ignored upon reception, and MUST be + passed unchanged by intermediate routers. A Route Reflector MUST NOT + add or remove the Extranet Separation Extended Community from the + routes it reflects, including the case where routes received via IBGP + are reflected to EBGP peers (inter-AS option (c); see Section 10 of + [RFC4364]). + + If a VRF has been provisioned to use extranet separation and that VRF + has been provisioned to transmit any extranet C-flows on a P-tunnel + that it advertises in an I-PMSI A-D route or a (C-*,C-*) S-PMSI A-D + route, then any UMH-eligible routes that are exported from that VRF + following the procedures of Sections 4.1, 4.2, and 4.3 MUST carry the + Extranet Separation Extended Community. In addition, if an I-PMSI + A-D route and/or (C-*,C-*) S-PMSI A-D route exported from that VRF is + used to carry extranet traffic, that A-D route MUST also carry the + Extranet Separation Extended Community. Further details may be found + in Sections 7.3, 7.4.4, and 7.4.5. + +5. Origination and Distribution of BGP A-D Routes + + Except where otherwise specified, this section describes procedures + and restrictions that are independent of the PE-PE C-multicast + control protocol. + +5.1. Route Targets of UMH-Eligible Routes and A-D Routes + + Suppose that there is an extranet C-flow such that: + + o The extranet C-source of that C-flow is in VRF A-1. + + o One or more extranet C-receivers of that C-flow are in VRF B-1. + + In this case, VRF A-1 MUST export a UMH-eligible route that matches + the extranet C-source address, and VRF B-1 MUST import that route. + In addition, VRF A-1 MUST export an Intra-AS I-PMSI A-D route or an + S-PMSI A-D route specifying the P-tunnel through which it will send + the data traffic of the given extranet C-flow, and VRF B-1 MUST + import that route. If BGP is the PE-PE C-multicast control protocol, + then under certain conditions (as specified in [RFC6514]), VRF A-1 + may also need to export a Source Active A-D route specifying that it + contains a source of the given C-flow, and VRF B-1 must import that + Source Active A-D route. That is, in order for VRF B-1 to receive a + + + +Rekhter, et al. Standards Track [Page 30] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + C-flow from a given extranet C-source contained in VRF A-1, VRF A-1 + MUST export a set of A-D routes that are "about" that source, and VRF + B-1 MUST import them. + + One way to ensure this is to provision an RT that is carried by all + the routes exported from VRF A-1 that are "about" a given extranet + C-source and also provision this RT as an import RT at any VRF (such + as VRF B-1) that is allowed to receive extranet flows from that + source. + + If the "single PMSI per C-flow" transmission model is being used + (with or without extranet separation), there is an additional + requirement, stated below, regarding the way RTs are provisioned, as + the RTs carried by a UMH-eligible route that matches a given extranet + C-source may need to be used to identify the A-D routes that are + "about" that source. + + Consider the following scenario: + + o IP address S is the address of one system in VPN-A and the address + of a different system in VPN-B. + + o VRF A-1 on PE1 exports UMH-eligible route R1, which is a matching + route for S. + + o VRF A-1 on PE1 exports an A-D route P1 whose PTA identifies a + P-tunnel through which VRF A-1 may send traffic whose C-source is + S, where one of the following conditions holds: + + * P1 is an I-PMSI A-D route, OR + + * P1 is an S-PMSI A-D route whose NLRI contains (C-*,C-*) or + (C-*,C-G), OR + + * P1 is an S-PMSI A-D route whose NLRI contains (C-S,C-G) or + (C-S,C-*), BUT the "single C-source per (C-S,C-G) or (C-S,C-*) + P-tunnel" policy is not provisioned, OR + + * P1 is a Source Active A-D route whose NLRI contains (C-S,C-G). + + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 31] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + o VRF B-1 on PE1 exports a UMH-eligible route R2, which is a + matching route for S. + + o VRF B-1 on PE1 exports an A-D route P2 whose PTA identifies a + P-tunnel on which VRF B-1 may send traffic whose C-source is S, + where one of the following conditions holds: + + * P2 is an I-PMSI A-D route, OR + + * P2 is an S-PMSI A-D route whose NLRI specifies (C-*,C-*) or + (C-*,C-G), OR + + * P2 is an S-PMSI A-D whose NLRI specifies (C-S,C-G) or + (C-S,C-*), BUT the "single C-source per (C-S,C-G) or (C-S,C-*) + P-tunnel" policy is not provisioned, OR + + * P2 is a Source Active A-D route whose NLRI contains (C-S,C-G). + + As implied by the rules of Section 4.1, there MUST NOT be any RT that + is common to both R1 and R2. In addition, the following set of rules + for RT assignment MUST be followed when extranets are supported. + These rules support all the extranet transmission models described in + this specification: + + o There MUST NOT be any RT that is carried by both P1 and P2. + + o The intersection of the set of RTs carried by P1 and the set of + RTs carried by R1 MUST be non-null, and any VRF that imports both + P1 and R1 MUST be configured with an import RT from this + intersection. + + o The intersection of the set of RTs carried by P2 and the set of + RTs carried by R2 MUST be non-null, and any VRF that imports both + P2 and R2 MUST be configured with an import RT from this + intersection. + + + + + + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 32] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + Suppose that VRF C-1 on PE2 imports P1 and R1 from VRF A-1 while also + importing P2 from VRF B-1. Since + + o R1 is VRF C-1's route to S, + + o R1 has an RT in common with P1, and + + o R1 has no RT in common with P2, + + it can be concluded that VRF C-1 should expect that multicast traffic + from S will arrive on the P-tunnel specified in P1. See Sections 6 + and 7 for more details on determining the expected P-tunnel for a + given extranet C-flow. + + While the assignment of import and export RTs to routes is a + deployment and provisioning issue rather than a protocol issue, it + should be understood that failure to follow these rules is likely to + result in VPN security violations. + +5.2. Considerations for Particular Inclusive Tunnel Types + + An Inclusive Tunnel (sometimes referred to as an "Inclusive Tree"; + see Section 2.1.1 of [RFC6513]) is a tunnel that, by default, carries + all the multicast traffic of a given MVPN that enters the backbone + network via a particular PE. An Inclusive Tunnel is advertised in + the PTA of an I-PMSI A-D route. + +5.2.1. RSVP-TE P2MP or Ingress Replication + + This section applies when Inclusive Tunnels are created using either + RSVP-TE P2MP or IR. + + Suppose that a VRF, say VRF-S, contains a given extranet C-source + C-S, and VRF-S advertises in its Intra-AS I-PMSI A-D route either a + P2MP RSVP-TE P-tunnel or an IR P-tunnel to carry extranet traffic. + + In order for VRF-S to set up the P2MP RSVP-TE or IR P-tunnel, it must + know all the PEs that are leaf nodes of the P-tunnel, and to learn + this it must import an Intra-AS I-PMSI A-D route from every VRF that + needs to receive data through that tunnel. + + Therefore, if VRF-R contains an extranet C-receiver that is allowed + by policy to receive extranet flows from C-S, the RT(s) carried by + the Intra-AS I-PMSI A-D routes originated by VRF-R MUST be such that + those Intra-AS I-PMSI A-D routes will be imported into VRF-S. + + + + + + +Rekhter, et al. Standards Track [Page 33] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + In the case of IR, this has the following consequence: if an egress + PE has n VRFs with receivers for a flow that VRF-S transmits on its + I-PMSI, that egress PE will receive n copies of the same packet, one + for each of the n VRFs. + + Note that Section 9.1.1 of [RFC6514] prohibits the "Leaf Information + Required" flag from being set in the PTA of an Intra-AS I-PMSI A-D + route. If this prohibition is ever removed, the requirement of this + section will apply only if VRF-S does not set that flag. + +5.2.2. Ingress Replication + + This section applies only when Inclusive Tunnels are created via IR. + + [RFC6513] and [RFC6514] specify procedures that allow I-PMSIs to be + instantiated by IR. The concept of an IR P-tunnel, and the + procedures for supporting IR P-tunnels, are explained more fully in + [MVPN-IR]. An IR P-tunnel can be thought of as a P2MP tree in which + a packet is transmitted from one node on the tree to another by being + encapsulated and sent through a unicast tunnel. + + As discussed in Section 2, when I-PMSIs are used to support + extranets, egress PEs MUST have the ability to discard customer + multicast data packets that arrive on the wrong P-tunnel. When + I-PMSIs are instantiated by IR, this implies that the following two + procedures MUST be followed: + + 1. One of the following three procedures MUST be followed: + + a. the "Single Forwarder Selection" procedures of Section 9.1.2 + of [RFC6513] + + b. the "native PIM methods" of Section 9.1.3 of [RFC6513] + + c. the unicast encapsulation used to transmit packets along the + IR P-tunnel is such as to enable the receiving node to + identify the transmitting node (note that this would not be + the case if, for example, the unicast tunnels were MP2P LSPs) + + and + + 2. If a PE assigns an MPLS label value in the PTA of an Intra-AS or + Inter-AS I-PMSI A-D route that it originates, that label value + MUST NOT appear in the PTA of any other I-PMSI or S-PMSI A-D + route originated by the same PE. + + + + + + +Rekhter, et al. Standards Track [Page 34] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + Failure to follow these procedures would make it impossible to + discard packets that arrive on the wrong P-tunnel and thus could lead + to duplication of data. + + If it is desired to support extranets while also using IR to + instantiate the PMSIs, an alternative is to use (C-*,C-*) S-PMSIs + instead of I-PMSIs. (See [RFC6625], as well as Sections 7.2.2, + 7.3.2, and 7.4.4 of this document.) This has much the same effect in + the data plane, and there are no restrictions on the type of unicast + tunnel that can be used for instantiating S-PMSIs. + + Section 6.4.5 of [RFC6513] describes a way to support VPNs using + I-PMSIs that are instantiated by IR, using no S-PMSIs, but using + "explicit tracking" to ensure that a C-flow goes only to egress PEs + that have receivers for it. This document does not provide + procedures to support extranets using that model. + +6. When PIM Is the PE-PE C-Multicast Control Plane + + As specified in [RFC6513], when PIM is used as the PE-PE C-multicast + control plane for a particular MVPN, there is a "Multidirectional + Inclusive Provider Multicast Service Interface" (MI-PMSI) for that + MVPN, and all the PEs of that MVPN must be able to send and receive + on that MI-PMSI. Associated with each VRF of the MVPN is a PIM + C-instance, and the PIM C-instance treats the MI-PMSI as if it were a + LAN interface. That is, the "ordinary" PIM procedures run over the + MI-PMSI just as they would over a real LAN interface, except that the + data-plane and control-plane "Reverse Path Forwarding (RPF) checks" + need to be modified. Section 5.2 of [RFC6513] specifies the RPF + check modifications for non-extranet MVPN service. + + For example, suppose that there are two VPNs: VPN-S and VPN-R. In + the absence of extranet support, all the VRFs of VPN-S are connected + via one MI-PMSI (call it "the VPN-S MI-PMSI"), and all the VRFs of + VPN-R are connected via another ("the VPN-R MI-PMSI"). If we want to + provide extranet service in which the extranet C-sources are attached + to some set of VPN-S VRFs while the extranet C-receivers are attached + to some set of VPN-R VRFs, then we have two choices: + + 1. either the VPN-R VRFs need to join the VPN-S MI-PMSI, or + + 2. the VPN-S VRFs need to join the VPN-R MI-PMSI. + + The first choice is used to support the "single PMSI per C-flow" + transmission model. The second choice is used to support the + "multiple PMSIs per C-flow" transmission model. + + + + + +Rekhter, et al. Standards Track [Page 35] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + Procedures for both models are described below. + + To support these models, it must be possible to determine which + I-PMSI A-D routes are associated with the VPN-S I-PMSI and which + I-PMSI A-D routes are associated with the VPN-R I-PMSI. Procedures + are given for assigning RTs to these routes in a way that makes this + determination possible. + + Both models allow the use of S-PMSIs to carry multicast data traffic. + If a VRF containing receivers can receive from multiple MI-PMSIs, + each S-PMSI must be uniquely associated with a particular MI-PMSI. + Procedures are given for assigning RTs to these routes in a way that + makes this determination possible. + + All the procedures specified in Sections 3, 4, and 5 still apply. + + Note that there are no special extranet procedures for Inter-AS + I-PMSI A-D routes or for Leaf A-D routes. Source Active A-D routes + are not used when PIM is the PE-PE C-multicast protocol. + +6.1. Provisioning VRFs with RTs + +6.1.1. Incoming and Outgoing Extranet RTs + + In the absence of extranet service, suppose that each VRF of a given + VPN (call it "VPN-S") is configured with RT-S as its import and + export RT, and that each VRF of a second VPN (call it "VPN-R") is + configured with RT-R as its import and export RT. We will refer to + RT-S and RT-R as "non-extranet RTs". + + Now suppose that VPN-S contains some extranet C-sources and VPN-R + contains some extranet C-receivers that are allowed by policy to + receive extranet C-flows from the VPN-S extranet C-sources. + + To set up this S-to-R extranet, provisioning an additional RT (call + it "RT-S-to-R") whose value is, in general, distinct from RT-S and + RT-R is REQUIRED. + + A VPN-S VRF that contains extranet C-sources allowed to transmit to + VPN-R MUST be configured with RT-S-to-R as an "Outgoing Extranet RT". + + A VPN-R VRF that contains extranet C-receivers allowed to receive + packets from VPN-S MUST be configured with RT-S-to-R as an "Incoming + Extranet RT". + + Note that the terms "Incoming" and "Outgoing" in this context refer + to the direction of multicast data packets relative to the VRF. + + + + +Rekhter, et al. Standards Track [Page 36] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + The Incoming Extranet RTs and Outgoing Extranet RTs that are + configured for a given VRF serve as import RTs for that VRF. They + also serve as export RTs, but only for specific routes as specified + in Section 6.1.2 below. + + Note that any VRF that contains both extranet C-sources and extranet + C-receivers MUST be configured with both Outgoing Extranet RTs and + Incoming Extranet RTs. + + A VRF MAY be configured with more than one Incoming Extranet RT + and/or Outgoing Extranet RT. + + If it happens to be the case that all C-sources in VPN-S are extranet + C-sources allowed to transmit to VPN-R, then VPN-S VRFs MAY be + configured such that RT-S is both a non-extranet RT and an Outgoing + Extranet RT, and VPN-R VRFs MAY be configured such that RT-S is an + Incoming Extranet RT. + +6.1.2. UMH-Eligible Routes and RTs + + Suppose that R1 is a route exported from a VPN-S VRF and matching an + extranet C-source that is allowed by policy to transmit to VPN-R. In + that case, R1 MUST carry the Outgoing Extranet RT used for the S-to-R + extranet. This will cause the route to be imported into the VPN-R + VRFs that have extranet C-receivers that are allowed by policy to + receive from VPN-S. + + The rules of Section 4 regarding RTs and ambiguous addresses still + apply. + +6.1.3. PIM C-Instance Reverse Path Forwarding Determination + + Suppose that a PIM control message (call it "M") is received by a + given VRF (call it "VRF-V") from a particular P-tunnel T. In order + to process control message M, the PIM C-instance associated with + VRF-V may need to do an "RPF determination" (see Section 5.2.2 of + [RFC6513]) for a particular IP prefix S. RPF determination is based + upon the rules for UMH selection as specified in Section 5.1 of + [RFC6513]. + + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 37] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + This document specifies an additional constraint on the UMH selection + procedure. When doing RPF determination for a PIM control message + received over a P-tunnel, a route matching prefix S is not considered + to be eligible for UMH selection unless there is an RT (call it + "RT1"), configured as one of VRF-V's Outgoing Extranet RTs, such that + the following two conditions both hold: + + 1. The route matching S is exported from VRF-V carrying RT1, and + + 2. An I-PMSI A-D route advertising P-tunnel T (in its PTA) has been + imported into VRF-V, and that I-PMSI A-D route carries RT1. + +6.2. "Single PMSI per C-Flow" Model + + In this model, if a VPN-S VRF has extranet multicast C-sources and a + VPN-R VRF has extranet multicast C-receivers allowed by policy to + receive from the C-sources in the VPN-S VRF, then the VPN-R VRF joins + the MI-PMSI that VPN-S uses for its non-extranet traffic. + +6.2.1. Forming the MI-PMSIs + + Consider a VPN-S VRF that has extranet C-sources. Per [RFC6513], + each VPN-S VRF must originate an Intra-AS I-PMSI A-D route containing + a PTA specifying the P-tunnel to be used as part of the VPN-S + MI-PMSI. In the absence of extranet service, this route carries the + VRF's non-extranet RT, RT-S. When extranet service is provided + (using the "single PMSI per C-flow" model), this route MUST also + carry each of the VRF's Outgoing Extranet RTs. + + Consider a VPN-R VRF that has extranet C-receivers. Per [RFC6513], + each VPN-R VRF must originate an Intra-AS I-PMSI A-D route containing + a PTA specifying the P-tunnel to be used as part of the VPN-R + MI-PMSI. This route carries the VRF's non-extranet RT, RT-R. When + extranet service is provided (using the "single PMSI per C-flow" + model), the VPN-R VRF MUST also originate one or more additional + Intra-AS I-PMSI A-D routes. It MUST originate one additional + Intra-AS I-PMSI A-D route for each Incoming Extranet RT with which it + has been configured; each such route will carry exactly one of the + configured Incoming Extranet RTs. + + Note that when a VRF originates more than one Intra-AS I-PMSI A-D + route, each of them MUST contain a different RD in its NLRI. In + addition, we add the requirement that any pair of such routes + MUST NOT contain an RT in common. + + + + + + + +Rekhter, et al. Standards Track [Page 38] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + A VRF with extranet C-sources MUST join the P-tunnels advertised in + the imported I-PMSI A-D routes that carry its non-extranet RT or any + of its Outgoing Extranet RTs. This set of P-tunnels will be treated + as instantiating a single MI-PMSI; the associated PIM C-instance will + treat that MI-PMSI as a single LAN and will run PIM procedures on + that LAN, as specified in [RFC6513]. The fact that the MI-PMSI + attaches to VRFs of different VPNs is not known to the PIM C-instance + of the VRF containing the sources. + + A VRF with extranet C-receivers MUST join the P-tunnels advertised in + all the imported I-PMSI A-D routes. The set of P-tunnels advertised + in the I-PMSI A-D routes that carry a particular Incoming Extranet RT + are treated as instantiating a particular MI-PMSI. So, a VRF with + C-receivers will "see" several MI-PMSIs, one corresponding to the + non-extranet, and as many as one for each configured Incoming + Extranet RT. The PIM C-instance associated with the VRF will treat + each of these MI-PMSIs as a separate LAN interface. + + As an example, suppose that: + + o All VPN-R VRFs are configured with RT-R as a non-extranet import + and export RT, and + + o VPN-R VRFs with extranet receivers are configured with RT-S-to-R + as an Incoming Extranet RT, and + + o VPN-S VRFs with extranet transmitters are configured with: + + * RT-S as a non-extranet import and export RT + + * a list of IP addresses that are the addresses of the extranet + sources + + * RT-S-to-R as an Outgoing Extranet RT + + VPN-S VRFs will then export UMH-eligible routes matching extranet + C-sources, and these routes will carry both RT-S and RT-S-to-R. Each + VPN-S VRF will also export an Intra-AS I-PMSI A-D route that carries + both RT-S and RT-S-to-R. + + VPN-R VRFs will originate and export two Intra-AS I-PMSI A-D routes: + one carrying RT-R and one carrying RT-S-to-R. The Intra-AS I-PMSI + A-D route with RT-S-to-R will be imported into the VPN-S VRFs. + + VPN-R will regard all the I-PMSI A-D routes it has exported or + imported with RT-S-to-R as part of a single MI-PMSI. VPN-R will + regard all the I-PMSI A-D routes it has exported or imported with + RT-R as part of a second MI-PMSI. The PIM C-instance associated with + + + +Rekhter, et al. Standards Track [Page 39] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + a VPN-R VRF will treat the two MI-PMSIs as two separate LAN + interfaces. However, the VPN-S VRFs will regard all the I-PMSI A-D + routes imported with RT-S or RT-S-to-R as establishing only a single + MI-PMSI. One can think of this as follows: the VPN-R VRFs have + joined the VPN-S MI-PMSI as well as the VPN-R MI-PMSI. + + Extranets consisting of more than two VPNs are easily supported as + follows. Suppose that there are three VPNs: VPN-A, VPN-B, and VPN-C. + VPN-A and VPN-B have extranet C-sources, and VPN-C contains receivers + for both VPN-A extranet C-sources and VPN-B extranet C-sources. In + this case, the VPN-C VRFs that have receivers for both VPN-A and + VPN-B sources may be provisioned as follows. These VPN-C VRFs may be + provisioned with RT-C as a non-extranet RT, and with RT-A-to-C and + RT-B-to-C as Incoming Extranet RTs. In this case, the VPN-C VRFs + that are so provisioned will originate three Intra-AS I-PMSI A-D + routes (each with a different RD in its NLRI), each of which carries + exactly one of the three RTs just mentioned. The VPN-B VRFs with + extranet C-sources will be provisioned with RT-B-to-C as an Outgoing + Extranet RT, and the VPN-A VRFs will be provisioned with RT-A-to-C as + an Outgoing Extranet RT. The result will be that the PIM C-instance + associated with a VPN-C VRF will see three LAN interfaces: one for + the non-extranet and one for each of the two extranets. This + generalizes easily to the case where there are VPN-C receivers in + n different extranets (i.e., receiving extranet flows whose sources + are in n different VPNs). + + Suppose again that there are three VPNs -- VPN-A, VPN-B, and VPN-C -- + but in this example VPN-A is the only one with extranet sources while + VPN-B and VPN-C both have receivers for the VPN-A extranet sources. + This can be provisioned as either one extranet or two extranets. + + To provision it as one extranet, the VPN-A VRFs are configured with + one Outgoing Extranet RT (call it "RT-A-extranet"). The VPN-B and + VPN-C VRFs with extranet receivers will be provisioned with + RT-A-extranet as the Incoming Extranet RT. Thus, the VPN-B and VPN-C + VRFs will each originate two Intra-AS I-PMSI A-D routes: one for the + non-extranet and one for the extranet. From a given VRF, the + Intra-AS I-PMSI A-D route for the extranet will carry RT-A-extranet + but will not share any RT with the non-extranet A-D routes exported + from the same VRF. + + The result is that the VPN-B and VPN-C VRFs each belong to two + MI-PMSIs: one for the extranet and one for the intranet. The MI-PMSI + for the extranet attaches VPN-A VRFs, VPN-B VRFs, and VPN-C VRFs. + + + + + + + +Rekhter, et al. Standards Track [Page 40] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + Alternatively, one could provision the VPN-A VRFs so that some + UMH-eligible extranet source routes carry an RT that we will call + "RT-A-to-B" and some carry an RT that we will call "RT-A-to-C". The + VPN-A VRFs would be configured with both of these as Outgoing + Extranet RTs. To allow an extranet flow from a VPN-A source to have + both VPN-B and VPN-C receivers, the UMH-eligible route for that + source would carry both RTs. VPN-B VRFs (but not VPN-C VRFs) would + be provisioned with RT-A-to-B as an Incoming Extranet RT. VPN-C VRFs + (but not VPN-B VRFs) would be provisioned with RT-A-to-C as an + Incoming Extranet RT. + + Following the rules above, if any VPN-A extranet source is to have + both VPN-B and VPN-C receivers, the VPN-B and VPN-C VRFs will each + originate two I-PMSI A-D routes: one for the extranet and one for the + non-extranet. The single Intra-AS I-PMSI A-D route originated by the + VPN-A VRFs will have both RT-A-to-B and RT-A-to-C among its RTs (as + well as VPN-A's non-extranet RT). The extranet I-PMSI A-D route + originated from a VPN-B VRF would have RT-A-to-B, and the extranet + I-PMSI A-D route originated from a VPN-C VRF would have RT-A-to-C. + + If a given VRF contains both extranet C-receivers and extranet + C-sources, the procedures described above still work, as the VRF will + be configured with both Incoming Extranet RTs and Outgoing Extranet + RTs; the VRF functions as both a VPN-S VRF and a VPN-R VRF. + +6.2.2. S-PMSIs + + When PIM is used as the PE-PE C-multicast control plane, every S-PMSI + is considered to be part of the "emulated LAN" that "corresponds" to + a particular MI-PMSI. + + When the bindings of C-flows to particular S-PMSIs are announced via + S-PMSI Join messages (Section 7 of [RFC6513]) sent on the MI-PMSI, + the S-PMSI is considered to be part of the same LAN interface as the + corresponding MI-PMSI. + + When the bindings of C-flows to particular S-PMSIs are announced via + S-PMSI A-D routes, any S-PMSI A-D route exported from that VRF MUST + have an RT in common with exactly one of the Intra-AS A-D routes + exported from that VRF, and this MUST be one of the VRF's Outgoing + Extranet RTs. Further, the S-PMSI A-D route MUST NOT have an RT in + common with any other Intra-AS A-D route exported from a VRF on the + same PE. A given S-PMSI A-D route will be considered to "correspond" + to the MI-PMSI of the Intra-AS I-PMSI A-D route (originated from the + same PE) with which it shares an RT. + + + + + + +Rekhter, et al. Standards Track [Page 41] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + The MI-PMSI that corresponds to a given S-PMSI is determined as + follows: + + o If (1) there is an Intra-AS I-PMSI A-D route originated by the + same PE that originated the S-PMSI A-D route, (2) those two routes + have an RT in common, and (3) that RT is one of the VRF's Incoming + Extranet RTs, then the S-PMSI corresponds to the I-PMSI associated + with that Intra-AS I-PMSI A-D route. + + o Otherwise, if (1) there is an Inter-AS I-PMSI A-D route originated + in the same AS as the S-PMSI A-D route, (2) those two routes have + an RT in common, and (3) that RT is one of the VRF's Incoming + Extranet RTs, then the S-PMSI corresponds to the I-PMSI associated + with that Inter-AS I-PMSI A-D route. + + o Otherwise, there must be a configuration error (a violation of the + requirements of Sections 3, 4, and 5 of this document). + + When wildcard S-PMSIs are used, the rules given in [RFC6625] for + determining whether a given S-PMSI A-D route is a "match for + reception" to a given (C-S,C-G) or (C-*,C-G) are modified as follows: + + A given S-PMSI A-D route MUST NOT be considered to be a "match for + reception" for a given (C-S,C-G) or (C-*,C-G) state UNLESS that + S-PMSI A-D route "corresponds" (as defined above) to the MI-PMSI + that is the incoming interface for the given state. + + The rules given in [RFC6625] for determining whether a given S-PMSI + A-D route is a "match for transmission" are unchanged. + +6.2.3. Sending PIM Control Packets + + Suppose that a PE, say PE1, receives a PIM Join(S,G) from a CE, over + a VRF interface that is associated with a VPN-R VRF. The PE does the + RPF check for S by looking up S in the VPN-R VRF. The PIM C-instance + associated with that VRF must determine the correct P-tunnel over + which to send a PIM Join(S,G) to other PEs. + + To do this, PE1 finds, in the VRF associated with the interface over + which the Join was received, the selected UMH route for S, following + the procedures of Section 5.1 of [RFC6513]. PE1 determines the set + of RTs carried by that route. PE1 then checks to see if there is an + Intra-AS I-PMSI A-D route, currently originated by PE1, that has an + RT in common with the selected UMH route for S. + + + + + + + +Rekhter, et al. Standards Track [Page 42] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + If the rules of Sections 3, 4, and 5 have been followed, each of + PE1's selected UMH routes will share an RT with a single one of PE1's + currently originated Intra-AS I-PMSI A-D routes. If this is so, the + Join is sent on the P-tunnel advertised in the PTA of that route. + Otherwise, the Join MUST NOT be sent. + + In essence, this procedure makes the RPF check for C-S resolve to the + MI-PMSI that is serving as the next-hop "interface" to C-S. + + If a PE receives a PIM Join(*,G) from a CE, the procedure for doing + the RPF check is the same, except that the selected UMH route will be + a route to the C-RP associated with the C-G group. + +6.2.4. Receiving PIM Control Packets + + When a PIM C-instance receives a PIM control message from a P-tunnel, + it needs to identify the message's incoming interface. This incoming + interface is the MI-PMSI of which the P-tunnel is a part. + +6.2.5. Sending and Receiving Data Packets + + The rules for choosing the PMSI on which to send a multicast data + packet are as specified in [RFC6513] and [RFC6625], with one new + restriction: a VPN-S VRF always transmits a multicast data packet + either on the VPN-S MI-PMSI or on an S-PMSI that corresponds to the + VPN-S MI-PMSI. From the perspective of the PIM C-instance, there is + only one outgoing interface. + + When a PIM C-instance receives a multicast data packet from a given + P-tunnel and that P-tunnel is being used to instantiate an MI-PMSI, + the MI-PMSI of which the P-tunnel is a part (see Sections 6.2.1 and + 6.2.2) is considered to be the packet's incoming interface. If the + packet is received on a P-tunnel that was advertised in an S-PMSI A-D + route, the packet's incoming interface is the MI-PMSI to which that + S-PMSI route corresponds, as defined in Section 6.2.2. Ordinary PIM + rules for data-plane RPF checks apply. + + Following ordinary PIM procedures, packets arriving from an + unexpected incoming interface are discarded. This eliminates any + problems due to the ambiguities described in Sections 2.1 and 2.2. + +6.3. "Multiple PMSIs per C-Flow" Model + + In this model, if a VPN-S VRF has extranet multicast C-sources and a + VPN-R VRF has extranet multicast C-receivers allowed by policy to + receive from the C-sources in the VPN-S VRF, then the VPN-S VRF joins + the MI-PMSI that VPN-R uses for its non-extranet traffic. + + + + +Rekhter, et al. Standards Track [Page 43] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + In the "single PMSI per C-flow" transmission model (as described in + Section 6.2), a PE that needs to transmit a multicast data packet to + a set of other PEs transmits the packet on a single PMSI. This means + that if a packet needs to be transmitted from a VPN-A VRF and + received at a VPN-B VRF and a VPN-C VRF, there must be some P-tunnel + from which the VPN-B and VPN-C VRFs can both receive packets. + + In the "multiple PMSIs per C-flow" transmission model, a PE that + needs to transmit a multicast data packet to a set of other PEs may + transmit the packet on several different PMSIs. (Of course, any + given packet is transmitted only once on a given P-tunnel.) For + example, if a C-flow (C-S,C-G) has a VPN-A C-source, a VPN-B + receiver, and a VPN-C receiver, there could be one PMSI that the + VPN-A VRF uses to transmit the packet to the VPN-B VRFs and + another PMSI that the VPN-A VRF uses to transmit the packet to the + VPN-C VRFs. + +6.3.1. Forming the MI-PMSIs + + Consider a VPN-R VRF that has extranet C-receivers. Per [RFC6513], + each VPN-R VRF must originate an Intra-AS I-PMSI A-D route containing + a PTA specifying the P-tunnel to be used as part of the VPN-R + MI-PMSI. In the absence of extranet service, this route carries the + VRF's non-extranet RT, RT-R. When extranet service is provided + (using the "single PMSI per C-flow" model), this route MUST also + carry each of the VRF's Incoming Extranet RTs. + + Consider a VPN-S VRF that has extranet C-sources. Per [RFC6513], + each VPN-S VRF must originate an Intra-AS I-PMSI A-D route containing + a PTA specifying the P-tunnel to be used as part of the VPN-S + MI-PMSI. This route carries the VRF's non-extranet RT, RT-S. When + extranet service is provided using the "multiple PMSIs per C-flow" + model, the VPN-S VRF MUST also originate one or more additional + Intra-AS I-PMSI A-D routes. It MUST originate one additional + Intra-AS I-PMSI A-D route for each Outgoing Extranet RT with which it + has been configured; each such route will have a distinct RD and will + carry exactly one of the configured Outgoing Extranet RTs. + + As with the "single PMSI per C-flow" transmission model, VRFs + containing extranet C-receivers need to import UMH-eligible extranet + C-source routes from VRFs containing C-sources. This is ensured by + the rules of Sections 3, 4, and 5. + + However, in the "multiple PMSIs per C-flow" model, a VRF containing + only C-receivers originates only a single Intra-AS I-PMSI A-D route + carrying the non-extranet RT and all the Incoming Extranet RTs. + + + + + +Rekhter, et al. Standards Track [Page 44] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + When a VRF containing C-receivers imports Intra-AS I-PMSI A-D routes + that carry the non-extranet RT or one of the Incoming Extranet RTs, + the P-tunnels specified in the PTA of all such routes are considered + to be part of the same MI-PMSI. That is, the associated PIM + C-instance will treat them as part of a single interface. + + In this model, it is the VRF containing extranet C-sources that MUST + originate multiple Intra-AS I-PMSI A-D routes. Each such route MUST + have a distinct RD, and the set of RTs carried by any one of these + routes MUST be disjoint from the set carried by any other. There + MUST be one such route for each of the VRF's Outgoing Extranet RTs, + and each such route MUST carry exactly one of the VRF's Outgoing + Extranet RTs. The VRFs containing extranet C-sources MUST also + import all the A-D routes originated by the VRFs containing extranet + C-receivers. If a set of originated and/or imported Intra-AS I-PMSI + A-D routes have an RT in common and that RT is one of the VRF's + Outgoing Export RTs, then those routes are considered to be "about" + the same MI-PMSI. The PIM C-instance of the VRF treats each MI-PMSI + as a LAN interface. + + In effect, if VPN-S has only extranet C-sources and VPN-R has only + extranet C-receivers, this model has the VPN-S VRFs join the VPN-R + MI-PMSI. The VPN-S VRFs will thus be attached to multiple MI-PMSIs, + while the VPN-R VRFs are attached to only one. The fact that the + VPN-R MI-PMSI is attached to VPN-S VRFs is not known to the PIM + C-instance at the VPN-R VRFs. + + If a VPN-A VRF has extranet C-sources allowed to send to C-receivers + in a VPN-B VRF and the VPN-B VRF has C-sources allowed to send to + C-receivers in the VPN-A VRF, the above procedures still work as + specified. + + Following normal PIM procedures, when the PIM C-instance at a VRF + with extranet C-sources receives a Join(C-S,C-G) or a Join(C-*,C-G) + over an MI-PMSI, it may create (C-S,C-G) or (C-*,C-G) state, and the + MI-PMSI over which the Join was received may be added to the set of + outgoing interfaces for that multicast state. If n MI-PMSIs are + added to the outgoing interface list for a particular multicast + state, a multicast data packet may need to be replicated n times and + transmitted once on each of the n MI-PMSIs. + + Since all of the multicast data packets received from another PE are + received over a single emulated LAN, it is not necessary to have any + special procedures to determine a packet's incoming interface. The + ambiguities described in Sections 2.1 and 2.2 do not occur, because a + VPN-R VRF can only receive multicast data traffic that has been + requested by a VPN-R VRF. + + + + +Rekhter, et al. Standards Track [Page 45] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +7. When BGP Is the PE-PE C-Multicast Control Plane + + This document assumes that if BGP is used as the PE-PE C-multicast + control plane, the "single PMSI per C-flow" model is used. + Procedures for providing the "multiple PMSIs per C-flow" model with + BGP C-multicast are outside the scope of this document. + + When BGP is used as the C-multicast control plane, the "single PMSI + per C-flow" model may be used either with or without extranet + separation. (Recall that "extranet separation" means that no + P-tunnel can carry traffic from both extranet sources and + non-extranet sources.) In either case, the data traffic may be + carried on Inclusive Tunnels only, Selective Tunnels only (known as + the "S-PMSI only" model), or a combination of Inclusive Tunnels and + Selective Tunnels. This is determined by provisioning. The + procedures specified below support all three choices. + + Note that there are no special extranet procedures for Inter-AS + I-PMSI A-D routes or for Leaf A-D routes. + +7.1. Originating C-Multicast Routes + + This section applies whether extranet separation is used or not. + + When it is necessary to originate a C-multicast Source Tree Join for + (C-S,C-G), a PE must follow the procedures of Section 11.1.3 + ("Constructing the Rest of the C-Multicast Route") of [RFC6514] to + find the selected UMH route for C-S. When it is necessary to + originate a C-multicast Shared Tree Join for (C-*,C-G), where C-G is + an ASM group, a PE must follow the procedures of that section to find + the selected UMH route for C-G's C-RP. + + Section 11.1.3 of [RFC6514] specifies how information from the + selected UMH route is used to find an Intra-AS I-PMSI A-D route or an + Inter-AS I-PMSI A-D route. Information from that I-PMSI A-D route is + then used to construct part of the C-multicast route. + + For extranets, the rules given in Section 7.4.5 of this document are + used to find the Inter-AS I-PMSI A-D route or an Intra-AS I-PMSI A-D + route that "corresponds" to the selected UMH route; the rules in + Section 7.4.5 replace the rules given in Section 11.1.3 of [RFC6514] + for finding the Inter-AS or Intra-AS I-PMSI A-D route. + + Information from this I-PMSI A-D route is then used, as specified in + Section 11.1.3 of [RFC6514], to construct the C-multicast route. + + + + + + +Rekhter, et al. Standards Track [Page 46] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +7.2. Originating A-D Routes without Extranet Separation + +7.2.1. Intra-AS I-PMSI A-D Routes + + Consider a VRF (call it "VRF-S") that contains extranet C-sources and + exports UMH-eligible routes matching those C-sources. The VRF may + also originate and export an Intra-AS I-PMSI A-D route. + + As specified in [RFC6514], if exactly one Intra-AS I-PMSI A-D route + is originated by and exported from VRF-S, the RTs carried by that + route MUST be chosen such that every VRF that imports a UMH-eligible + route from VRF-S also imports this Intra-AS I-PMSI A-D route. + + If inclusive P-tunnels are being used to carry extranet C-flows, + there are additional requirements on the way the RTs carried by the + Intra-AS I-PMSI A-D routes must be chosen, as specified in the + following paragraph. + + If VRF-S is using inclusive P-tunnels but is not using extranet + separation, there is one inclusive P-tunnel rooted at VRF-S, and this + tunnel carries both extranet and non-extranet C-flows. This + Inclusive Tunnel is identified in the PTA of the Intra-AS I-PMSI A-D + route originated from VRF-S. The set of RTs carried by this Intra-AS + I-PMSI A-D route MUST be chosen so as to ensure that every VRF that + imports a UMH-eligible route from this VRF-S also imports this + Intra-AS I-PMSI A-D route. Further, the set of RTs carried by this + Intra-AS I-PMSI A-D route MUST be chosen such that it has at least + one RT in common with every UMH-eligible route that is exported from + the VRF. + +7.2.2. S-PMSI A-D Routes + + Let R-SP be an S-PMSI A-D route that is exported from VRF-S. Suppose + that R-SP is used to bind some or all of the extranet C-flows from a + given extranet C-source to a given selective P-tunnel. Let R-UMH be + a UMH-eligible route that is exported from VRF-S and matches the + given extranet C-source. In that case, R-SP and R-UMH MUST have at + least one RT in common. Further, the RTs carried by these two routes + MUST be such that every VRF that imports R-UMH also imports R-SP. + These rules apply whether or not R-SP uses wildcards [RFC6625]. + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 47] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + An implementation MUST allow the set of RTs carried by the S-PMSI A-D + routes to be specified by configuration. In the absence of such + configuration, an S-PMSI A-D route originated by a given VRF, say + VRF-X, MUST carry a default set of RTs, as specified by the following + rules: + + 1. By default, an S-PMSI A-D route originated by VRF-X for a given + (C-S,C-G) or (C-S,C-*) carries the same RT(s) as the UMH-eligible + route originated by VRF-X that matches C-S. + + 2. By default, an S-PMSI A-D route originated by VRF-X for a given + (C-*,C-G) carries as its RTs a set union of all RT(s) of the + UMH-eligible route(s) matching the multicast C-sources contained + in VRF-X that could originate traffic for that C-G. Moreover, if + the VRF contains (as defined in Section 1.1) the C-RP of C-G, + then this set union also includes the RT(s) of the UMH-eligible + route matching C-RP and the RT(s) of the unicast VPN-IP route + matching C-RP. + + 3. By default, if a (C-*,C-*) S-PMSI A-D route originated by VRF-X + is to be used for both extranet and non-extranet traffic, it + carries the same RTs that would be carried (as specified in + Section 7.2.1) by an I-PMSI A-D route originated by VRF-X if that + I-PMSI A-D route were advertising an inclusive P-tunnel for + carrying both extranet and non-extranet traffic. In general, a + given VRF would not originate both (a) an S-PMSI A-D route + advertising a (C-*,C-*) selective P-tunnel for both extranet and + non-extranet traffic and (b) an I-PMSI A-D route advertising an + inclusive P-tunnel for both extranet and non-extranet traffic, as + the inclusive P-tunnel would not get used in that case. + +7.2.3. Source Active A-D Routes + +7.2.3.1. When Inter-Site Shared Trees Are Used + + This section applies when inter-site shared trees are used, as + specified in Section 13 of [RFC6514]. + + If VRF-S exports a Source Active A-D route that contains C-S in the + Multicast Source field of its NLRI and VRF-S also exports a + UMH-eligible route matching C-S, the Source Active A-D route MUST + carry at least one RT in common with the UMH-eligible route. The RT + MUST be chosen such that the following condition holds: if a VRF, say + VRF-R, contains an extranet C-receiver allowed by policy to receive + extranet traffic from C-S, then VRF-R imports both the UMH-eligible + route and the Source Active A-D route. + + + + + +Rekhter, et al. Standards Track [Page 48] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + By default, a Source Active A-D route for a given (C-S,C-G), exported + by a given VRF, carries the same set of RTs as the UMH-eligible route + matching C-S that is exported from that VRF. + +7.2.3.2. When Inter-Site Shared Trees Are Not Used + + This section applies when inter-site shared trees are not used, as + specified in Section 14 of [RFC6514]. + + Suppose that a VRF, say VRF-X, contains the C-RP for a given extranet + C-group, say C-G. If C-S is an active source for C-G, then, + following the procedures of Section 14.1 of [RFC6514], VRF-X may + export a Source Active A-D route that contains C-S in the Multicast + Source field of its NLRI. With the following text, this document + replaces the rule specified in Section 14.1 of [RFC6514] for + constructing the RT(s) carried by such a route: VRF-X MUST be + configured such that the Source Active A-D route for (C-S,C-G) + carries the same set of RTs as the UMH-eligible route matching C-S + that is exported from the VRF(s) containing C-S. This way, if a VRF, + say VRF-R, contains an extranet C-receiver allowed by policy to + receive extranet traffic from C-S, then VRF-R imports both the + UMH-eligible route and the Source Active A-D route. + +7.3. Originating A-D Routes with Extranet Separation + + If a VRF contains both extranet C-sources and non-extranet C-sources, + it MUST be configured with both a default RD and an extranet RD (see + Section 1.3). The use of these RDs is explained in the following + subsections. + +7.3.1. Intra-AS I-PMSI A-D Routes + + This section applies when VRF-S is using extranet separation AND when + VRF-S is using an inclusive P-tunnel to carry some or all of the + extranet C-flows that it needs to transmit to other VRFs. + + If VRF-S contains both extranet C-sources and non-extranet C-sources, + and inclusive P-tunnels are used to carry both extranet C-flows and + non-extranet C-flows, then there MUST be two Inclusive Tunnels from + VRF-S, one of which is to be used only to carry extranet C-flows (the + "extranet inclusive P-tunnel") and one of which is to be used only to + carry non-extranet C-flows (the "non-extranet inclusive P-tunnel"). + + + + + + + + + +Rekhter, et al. Standards Track [Page 49] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + In this case, the VRF MUST originate two Intra-AS I-PMSI A-D routes. + Their respective NLRIs MUST of course have different RDs. One of the + Intra-AS I-PMSI A-D routes identifies the extranet inclusive P-tunnel + in its PTA. This route MUST have the VRF's extranet RD in its NLRI. + The other route identifies the non-extranet inclusive P-tunnel in its + PTA. This route MUST have the VRF's default RD in its PTA. + + If VRF-S uses an inclusive P-tunnel for carrying extranet traffic but + does not use an inclusive P-tunnel for carrying non-extranet traffic, + then of course only a single Intra-AS I-PMSI A-D route need be + originated. The PTA of this route identifies the "extranet inclusive + P-tunnel". The NLRI of that route MUST contain the VRF's + extranet RD. + + An Intra-AS I-PMSI A-D route whose PTA identifies an extranet + inclusive P-tunnel MUST carry the Extranet Separation Extended + Community defined in Section 4.5. + + The RTs carried by an Intra-AS I-PMSI A-D route whose PTA identifies + the "extranet inclusive P-tunnel" MUST be chosen such that the + following condition holds: if a VRF (call it "VRF-R") imports a + UMH-eligible route from VRF-S and that route matches an extranet + C-source, then VRF-R also imports that Intra-AS I-PMSI A-D route. + + Note that when extranet separation is used, it is possible to use an + inclusive P-tunnel for non-extranet traffic while using only + selective P-tunnels for extranet traffic. It is also possible to use + an inclusive P-tunnel for extranet traffic while using only selective + P-tunnels for non-extranet traffic. + +7.3.2. S-PMSI A-D Routes + + Let R-SP be an S-PMSI A-D route that is exported from VRF-S. Suppose + that R-SP is used to bind some or all of the extranet C-flows from a + given extranet C-source to a given selective P-tunnel. Let R-UMH be + a UMH-eligible route that is exported from VRF-S and matches the + given extranet C-source. In that case, R-SP and R-UMH MUST have at + least one RT in common. Further, the RTs carried by these two routes + MUST be such that every VRF that imports R-UMH also imports R-SP. + These rules apply whether or not R-SP uses wildcards [RFC6625]. + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 50] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + The following rules, specific to the use of extranet separation, + apply: + + o A selective P-tunnel MUST NOT carry C-flows from both extranet and + non-extranet C-sources. + + o If it is desired to use a (C-*,C-*) S-PMSI to carry extranet + traffic and also use a (C-*,C-*) S-PMSI to carry non-extranet + traffic, then two (C-*,C-*) S-PMSI A-D routes MUST be originated. + These two routes MUST have different RDs in their respective NLRI + fields, and their respective PTAs MUST identify different + P-tunnels. If the route advertises a P-tunnel that carries only + non-extranet traffic, the route's NLRI MUST contain the VRF's + default RD. If the route advertises a P-tunnel that carries only + extranet traffic, the route's NLRI MUST contain the VRF's + extranet RD. + + o In the following cases, an S-PMSI A-D route exported from the VRF + MUST have the VRF's extranet RD in its NLRI: + + * The S-PMSI A-D route is a (C-S,C-G) or a (C-S,C-*) S-PMSI A-D + route, and C-S is an extranet C-source. + + * The S-PMSI A-D route is a (C-*,C-G) S-PMSI A-D route, and C-G + is an extranet C-group. + + In all other cases, a (C-S,C-G), (C-S,C-*), or (C-*,C-G) S-PMSI + A-D route MUST have the VRF's default RD in its NLRI. + + o A (C-*,C-*) S-PMSI A-D route advertising a P-tunnel that is used + to carry extranet traffic MUST carry the Extranet Separation + Extended Community defined in Section 4.5. + + An implementation MUST allow the set of RTs carried by the S-PMSI A-D + routes to be specified by configuration. In the absence of such + configuration, an S-PMSI A-D route originated by a given VRF, say + VRF-X, MUST carry a default set of RTs, as specified by the following + rules: + + 1. Rule 1 of Section 7.2.2 applies. + + 2. By default, if C-G is an extranet C-group, rule 2 of + Section 7.2.2 applies. + + 3. By default, if a (C-*,C-*) S-PMSI A-D route originated by VRF-X + is to be used for extranet traffic, it carries the same RTs that + would be carried (as specified in Section 7.3.1) by an I-PMSI A-D + route originated by VRF-X if that I-PMSI A-D route were + + + +Rekhter, et al. Standards Track [Page 51] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + advertising an inclusive P-tunnel for carrying extranet traffic. + In general, a given VRF would not originate both an S-PMSI A-D + route advertising a (C-*,C-*) selective P-tunnel for extranet + traffic and an I-PMSI A-D route advertising an inclusive P-tunnel + for extranet traffic, as the inclusive P-tunnel would not get + used in that case. + +7.3.3. Source Active A-D Routes + + The procedures of Section 7.2.3 apply. + + However, if a Source Active A-D route is exported from a given VRF + and the route contains C-S, where C-S is an extranet C-source, then + the RD of the route's NLRI MUST be the extranet RD of the VRF. + Otherwise, the RD is the default RD of the VRF. + +7.4. Determining the Expected P-Tunnel for a C-Flow + + This section applies whether extranet separation is used or not. + + In the context of a VRF with receivers for a particular C-flow, a PE + must determine the P-tunnel over which packets of that C-flow are + expected to arrive. This is done by finding an I-PMSI or S-PMSI A-D + route that "matches" the flow. The matching A-D route will contain a + PTA that specifies the P-tunnel being used to carry the traffic of + that C-flow. We will refer to this P-tunnel as the "expected + P-tunnel" for the C-flow. (Note that, per [MVPN-IR], if the PTA + specifies a tunnel of type "Ingress Replication" (IR), the identifier + of the P-tunnel is actually the NLRI of the I-PMSI or S-PMSI A-D + route. If the PTA specifies a tunnel type other than IR, the + identifier of the P-tunnel is found in the Tunnel Identifier field of + the PTA.) + + A PE that needs to receive a given (C-S,C-G) or (C-*,C-G) C-flow MUST + join the expected P-tunnel for that C-flow, and the PE MUST remain + joined to the P-tunnel as long as (1) the PE continues to need to + receive the given C-flow and (2) the P-tunnel continues to remain the + expected P-tunnel for that C-flow. Procedures for joining and + leaving a tunnel depend, of course, on the tunnel type. + + If a PTA specifies a non-zero MPLS label for a tunnel that is not an + IR tunnel, then the PE originating the A-D route containing that PTA + is advertising an aggregate P-tunnel. The aggregate P-tunnel can be + thought of as an outer P-tunnel multiplexing some number of inner + P-tunnels. The inner P-tunnels are demultiplexed by means of the + MPLS label in the PTA. In this document, when we talk of the + "expected P-tunnel" in the context of an aggregate P-tunnel, we refer + + + + +Rekhter, et al. Standards Track [Page 52] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + to a particular inner P-tunnel, not to the outer P-tunnel. It is + this "inner P-tunnel" that is the expected P-tunnel for a given + C-flow. + + In order to find the expected P-tunnel for a given C-flow, the + upstream PE of the C-flow is first determined. Then, the S-PMSI A-D + routes originated by that PE are examined, and their NLRIs compared + to the (C-S/C-RP,C-G) of the flow, to see if there is a "match for + reception". (If there is no S-PMSI A-D route that matches a given + C-flow, the expected P-tunnel for that C-flow may have been + advertised in an I-PMSI A-D route; see Section 7.4.5.) + + The rules for determining, in non-extranet cases, whether a given + C-flow is a "match for reception" for a given S-PMSI A-D route are + given in Section 3.2 of [RFC6625]. Note that we use the terms + "installed" and "originated" as they are defined in Section 3.2 of + [RFC6625]. (See also Section 1.1 of this document.) + + This specification provides additional rules for determining whether + a given S-PMSI A-D route is a "match for reception" for a given + (C-S/C-RP,C-G). Note that these rules all assume the context of a + particular VRF into which the A-D route has been imported. + + The rules given in [RFC6625] for determining whether a given S-PMSI + A-D route is a "match for transmission" remain unchanged. + + Suppose that a PE has originated a C-multicast Shared Tree Join for + (C-*,C-G) but has not originated a C-multicast Source Tree Join for + (C-S,C-G). Suppose also that the PE has received and installed a + Source Active A-D route for (C-S,C-G). As described in Section 13.2 + of [RFC6514], the PE must receive the (C-S,C-G) traffic from the + tunnel the originator of the installed Source Active A-D route uses + for sending (C-S,C-G). + + The originator of the installed Source Active A-D route is determined + as follows: + + 1. Look at the "UMH Route Candidate Set" for C-S, as defined in + Section 5.1.3 of [RFC6513]. + + 2. From that set, select a subset of UMH routes to C-S, such that + each route in the subset has at least one RT in common with the + Source Active A-D route and at least one of the RTs in common is + an import RT of the VRF. + + 3. From that subset, find the route whose RD is the same as the RD + from the NLRI of the Source Active A-D route. + + + + +Rekhter, et al. Standards Track [Page 53] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + 4. The upstream PE is the PE identified in the VRF Route Import + Extended Community of that route. + + 5. The upstream AS is the AS identified in the Source AS Extended + Community of that route. + + If step 2 results in an empty set or step 3 fails to find a route, + then the upstream PE of the Source Active A-D route cannot be + determined, and it is necessary to act as if the Source Active A-D + route had not been installed. (A subsequent change to the UMH Route + Candidate Set for C-S may require that a new attempt be made to + determine the upstream PE.) + + Once the upstream PE is determined, the P-tunnel over which the flow + is expected is determined according to the procedures already + described in this section. + +7.4.1. (C-S,C-G) S-PMSI A-D Routes + + When extranet functionality is being provided, an S-PMSI A-D route + whose NLRI contains (C-S,C-G) is NOT considered to be a "match for + reception" for a given C-flow (C-S,C-G) unless one of the following + conditions holds (in addition to the conditions specified in + [RFC6625]): + + o the "single C-source per (C-S,C-G) or (C-S,C-*) P-tunnel" is + provisioned, or + + o the selected UMH route for C-S has at least one RT in common with + the S-PMSI A-D route, and at least one of the common RTs is an + import RT of the VRF. + +7.4.2. (C-S,C-*) S-PMSI A-D Routes + + When extranet functionality is being provided, an S-PMSI A-D route + whose NLRI contains (C-S,C-*) is NOT considered to be a "match for + reception" for a given C-flow (C-S,C-G) unless one of the following + conditions holds (in addition to the conditions specified in + [RFC6625]): + + o the "single C-source per (C-S,C-G) or (C-S,C-*) P-tunnel" is + provisioned, or + + o the selected UMH route for C-S has at least one RT in common with + the S-PMSI A-D route, and at least one of the common RTs is an + import RT of the VRF. + + + + + +Rekhter, et al. Standards Track [Page 54] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +7.4.3. (C-*,C-G) S-PMSI A-D Routes + + When extranet functionality is being provided, an S-PMSI A-D route + whose NLRI contains (C-*,C-G) is NOT considered to be a "match for + reception" for a given C-flow (C-S,C-G) in a given VRF unless either + condition 1 or condition 2 below holds (in addition to the conditions + specified in [RFC6625]): + + 1. The given VRF has currently originated a C-multicast Shared Tree + Join route for (C-*,C-G), and + + a. (C-*,C-G) matches an installed (C-*,C-G) S-PMSI A-D route + (according to [RFC6625]) in the given VRF, and + + b. either + + i. the "single C-group per (C-*,C-G) P-tunnel" policy has + been provisioned, or + + ii. the RTs of that S-PMSI A-D route form a non-empty + intersection with the RTs carried in the VRF's + selected UMH route for C-RP of that C-G, or + + iii. installed in the VRF is at least one (C-S,C-G) Source + Active A-D route that was originated by the same PE as + the (C-*,C-G) S-PMSI A-D route. + + 2. The given VRF does not have a currently originated C-multicast + Shared Tree Join for (C-*,C-G), but + + a. there are one or more values for C-S for which the VRF has a + currently originated Source Tree Join C-multicast route for + (C-S,C-G), and + + b. the (C-* C-G) S-PMSI A-D route matches (according to + [RFC6625]) each such (C-S,C-G), and + + c. either + + i. the "single C-group per (C-*,C-G) P-tunnel" policy has + been provisioned, or + + ii. the RTs of that S-PMSI A-D route form a non-empty + intersection with the RTs carried in the VRF's selected + UMH routes for each such C-S + + + + + + +Rekhter, et al. Standards Track [Page 55] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + If a VRF has an installed (C-*,C-G) S-PMSI A-D route but does not + have a (C-S,C-G) or (C-*,C-G) multicast state that matches that + route for reception, the procedures of Section 12.3 ("Receiving + S-PMSI A-D Routes by PEs") of [RFC6514] are not invoked for that + route. If those multicast states are created at some later time + when the route is still installed, the procedures of Section 12.3 + of [RFC6514] are invoked at that time. + +7.4.4. (C-*,C-*) S-PMSI A-D Routes + + A (C-*,C-*) S-PMSI A-D route (call it "R-AD") is NOT considered to be + a "match for reception" for a given C-flow (C-S,C-G) or (C-*,C-G) + unless the following conditions hold (in addition to the conditions + specified in [RFC6625]): + + o The selected UMH route (call it "R-UMH") for C-S or for C-G's + C-RP, respectively, has at least one RT in common with R-AD, and + at least one of the common RTs is an import RT of the VRF. + + o Either R-AD and R-UMH both carry the Extranet Separation Extended + Community or neither carries the Extranet Separation Extended + Community. + +7.4.5. I-PMSI A-D Routes + + If a particular egress VRF in a particular egress PE contains no + matching S-PMSI A-D routes for a particular C-flow, then the C-flow + is expected to arrive (at that egress VRF) on an inclusive P-tunnel. + + Suppose that an egress PE has originated a (C-S,C-G) C-multicast + Source Tree Join. Let R-UMH be the selected UMH route (in the given + egress VRF) for C-S. As specified in [RFC6514], the selected + upstream PE for (C-S,C-G) is determined from the VRF Route Import + Extended Community of R-UMH, and the "selected upstream AS" for the + flow is determined from the Source AS Extended Community of R-UMH. + + Suppose that an egress PE has originated a (C-*,C-G) C-multicast + Shared Tree Join but has not originated a (C-S,C-G) C-multicast + Source Tree Join. If the egress VRF does not have a (C-S,C-G) Source + Active A-D route installed, the selected upstream PE is determined + from the VRF Route Import Extended Community of the installed + UMH-eligible route matching C-RP, where C-RP is the RP for the group + C-G. The selected upstream AS for the flow is determined from the + Source AS Extended Community of that route. If the egress VRF does + have a (C-S,C-G) Source Active A-D route installed, the selected + upstream PE and upstream AS are determined as specified in + Section 7.4. In either case, let R-UMH be the installed UMH-eligible + route matching C-S. + + + +Rekhter, et al. Standards Track [Page 56] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + The inclusive P-tunnel that is expected to be carrying a particular + C-flow is found as follows: + + o If the selected upstream AS is the local AS or segmented Inter-AS + P-tunnels are not being used to instantiate I-PMSIs, then look in + the VRF for an installed Intra-AS I-PMSI A-D route, R-AD, such + that (a) R-AD is originated by the selected upstream PE, (b) R-AD + has at least one RT in common with R-UMH, (c) at least one of the + common RTs is an import RT of the local VRF, and (d) either R-AD + and R-UMH both carry the Extranet Separation Extended Community or + neither carries the Extranet Separation Extended Community. + + The PTA of R-AD specifies the P-tunnel over which the traffic of + the given C-flow is expected. + + o If the selected upstream AS is not the local AS and segmented + Inter-AS P-tunnels are being used to instantiate I-PMSIs, then + look in the VRF for an installed Inter-AS I-PMSI A-D route, R-AD, + such that (a) the Source AS field of R-AD's NLRI contains the AS + number of the selected upstream AS, (b) R-AD has at least one RT + in common with R-UMH, (c) at least one of the common RTs is an + import RT of the local VRF, and (d) either R-AD and R-UMH both + carry the Extranet Separation Extended Community or neither + carries the Extranet Separation Extended Community. + + The PTA of R-AD specifies the P-tunnel over which the traffic of + the given C-flow is expected. + +7.5. Packets Arriving from the Wrong P-Tunnel + + Any packets that arrive on a P-tunnel other than the expected + P-tunnel (as defined in Section 7.4) MUST be discarded unless it is + known that all the packets carried by both P-tunnels are from the + same ingress VRF. (See Section 2.3.1 for a more detailed discussion + of when to discard packets from other than the expected P-tunnel.) + Note that packets arriving on the wrong P-tunnel are to be discarded + even if they are arriving from the expected PE. + +8. Multiple Extranet VRFs on the Same PE + + When multiple VRFs that contain extranet receivers for a given + extranet source are present on the same PE, this PE becomes a single + leaf of the P-tunnel used for sending (multicast) traffic from that + source to these extranet receivers. The PE MUST be able to replicate + this traffic to the multiple VRFs. Specific procedures for doing so + are local to the PE and are outside the scope of this document. + + + + + +Rekhter, et al. Standards Track [Page 57] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + Two or more VRFs on the same PE may import the same S-PMSI A-D route. + If this S-PMSI A-D route contains a PTA that has its "Leaf + Information Required" flag set, it may be necessary for the PE to + originate a Leaf A-D route whose NLRI is computed from the NLRI of + the S-PMSI A-D route. (Details are provided in [RFC6514].) Note + that for a given S-PMSI A-D route, the PE can originate only one + corresponding Leaf A-D route, even if the S-PMSI A-D route is + imported into multiple VRFs. This Leaf A-D route can thus be thought + of as originating from several VRFs. It MUST NOT be withdrawn by the + PE until there are no longer any VRFs originating it. + + [RFC6514] specifies conditions under which a PE originates a + C-multicast Source Tree Join or a C-multicast Shared Tree Join, based + on the (*,G) and (S,G) states associated with a given VRF. It also + specifies the procedure for computing the NLRI of each such route. + While a given PE may contain two or more VRFs that have (extranet) + receivers for the same extranet C-flow, the PE cannot originate more + than one BGP route with a given NLRI. If there are multiple VRFs, + each of which has state that is sufficient to cause a given + C-multicast route to be originated, the route can be thought of as + originating from several VRFs. It MUST NOT be withdrawn by the PE + until there is no longer any VRF with multicast state sufficient to + cause the route to be originated. + + For a given extranet, the site(s) that contains the extranet + source(s) and the site(s) that contains the extranet receiver(s) may + be connected to the same PE. In this scenario, the procedures by + which (multicast) traffic from these sources is delivered to these + receivers are local to the PE and are outside the scope of this + document. + + An implementation MUST support multiple extranet VRFs on a PE. + +9. IANA Considerations + + IANA has allocated two new codepoints from the "First Come First + Served" [RFC5226] range of the "Transitive Opaque Extended Community + Sub-Types" registry (under the top-level registry "Border Gateway + Protocol (BGP) Extended Communities" registry). + + o Extranet Source Extended Community (0x04) + + o Extranet Separation Extended Community (0x05) + + + + + + + + +Rekhter, et al. Standards Track [Page 58] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +10. Security Considerations + + The security considerations of [RFC6513] and [RFC6514] are + applicable. + + As is the case with any application of technology based upon + [RFC4364], misconfiguration of the RTs may result in VPN security + violations (i.e., may result in a packet being delivered to a VPN + where, according to policy, it is not supposed to go). + + In those cases where the set of extranet sources of a particular VRF + are manually configured, improper configuration of the VRF can result + in VPN security violations -- traffic from a host that is not an + extranet source may be treated as if it were traffic from an extranet + source. + + Section 4.4 specifies the optional use of a new Extended Community -- + the Extranet Source Extended Community. Security considerations + regarding the use and distribution of that Extended Community are + discussed in that section. + + The procedures of this document do not provide encryption of the data + flows that are sent across the SP backbone network. Hence, these + procedures do not by themselves ensure the privacy or integrity of + the data against attacks on the backbone network. + + In general, different VPNs are allowed to have overlapping IP address + spaces; i.e., a host in one VPN may have the same IP address as a + host in another. This is safe because the customer routes from a + given VPN do not pass into other VPNs. Even if there are overlapping + address spaces among VPNs, the routes that are known at any given VPN + site are unambiguous, as long as the address space of that VPN is + unambiguous. However, this is not necessarily true when extranet + service is provided. If an extranet C-receiver in VPN-R is to be + able to receive multicast traffic from an extranet C-source in VPN-S, + then the address of the VPN-S extranet C-source must be imported into + one or more VPN-R VRFs. If that address is also the address of a + VPN-R non-extranet C-source, then a system attempting to receive an + extranet C-flow from the VPN-R extranet C-source may instead receive + a non-extranet C-flow from the VPN-S C-source. Otherwise, a VPN + security violation may result. + + That is, when provisioning an extranet between two VPNs that have + overlapping address spaces, one must ensure that the IP addresses of + the extranet sources and the extranet receivers are not from the + overlapping part of the address space. This document specifies that + if a route is imported into a given VRF, all addresses that match + that route must be unambiguous in the context of that VRF. Improper + + + +Rekhter, et al. Standards Track [Page 59] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + provisioning of the extranet source addresses or improper + provisioning of the RTs may cause this rule to be violated and may + result in a VPN security violation. + + It is possible that a given multicast C-source is the source of + multiple flows, some of which are intended to be extranet C-flows and + some of which are intended to be non-extranet flows. However, the + procedures of this document will allow any C-receiver that is able to + receive the extranet C-flows from a given C-source to also receive + the non-extranet C-flows from that source. As a result, VPN security + violations may result if any system is a C-source for both extranet + and non-extranet C-flows. However, the set of C-flows transmitted by + a given C-source is not under the control of the SP. SPs who offer + the extranet MVPN service must make sure that this potential for VPN + security violations is clearly understood by the customers who + administer the C-sources. + + This specification does not require that UMH-eligible routes be "host + routes"; they may be less specific routes. So, it is possible for + the NLRI of a UMH-eligible route to contain an address prefix that + matches the address of both an extranet C-source and a non-extranet + C-source. If such a route is exported from a VPN-S VRF and imported + by a VPN-R VRF, C-receivers contained in VPN-R will be able to + receive C-flows from the non-extranet C-sources whose addresses match + that route. This may result in VPN security violations. Service + providers who offer the extranet MVPN service must make sure that + this is clearly understood by the customers who administer the + distribution of routes from CE routers to PE routers. + + If the address ambiguities described in Sections 2.1 and 2.2 are not + prohibited by deployment of the policies described in Section 2.3.2, + VRFs must be able to discard traffic that arrives on the wrong + P-tunnel (as specified in Sections 2.3.1 and 7.5). Otherwise, VPN + security violations may occur. + + + + + + + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 60] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +11. References + +11.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + . + + [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended + Communities Attribute", RFC 4360, DOI 10.17487/RFC4360, + February 2006, . + + [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private + Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, + February 2006, . + + [RFC6513] Rosen, E., Ed., and R. Aggarwal, Ed., "Multicast in + MPLS/BGP IP VPNs", RFC 6513, DOI 10.17487/RFC6513, + February 2012, . + + [RFC6514] Aggarwal, R., Rosen, E., Morin, T., and Y. Rekhter, "BGP + Encodings and Procedures for Multicast in MPLS/BGP IP + VPNs", RFC 6514, DOI 10.17487/RFC6514, February 2012, + . + + [RFC6625] Rosen, E., Ed., Rekhter, Y., Ed., Hendrickx, W., and R. + Qiu, "Wildcards in Multicast VPN Auto-Discovery Routes", + RFC 6625, DOI 10.17487/RFC6625, May 2012, + . + + [RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP + Extended Communities", RFC 7153, DOI 10.17487/RFC7153, + March 2014, . + + [RFC7761] Fenner, B., Handley, M., Holbrook, H., Kouvelas, I., + Parekh, R., Zhang, Z., and L. Zheng, "Protocol Independent + Multicast - Sparse Mode (PIM-SM): Protocol Specification + (Revised)", STD 83, RFC 7761, DOI 10.17487/RFC7761, + March 2016, . + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 61] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +11.2. Informative References + + [MVPN-IR] Rosen, E., Ed., Subramanian, K., and Z. Zhang, "Ingress + Replication Tunnels in Multicast VPN", Work in Progress, + draft-ietf-bess-ir-03, April 2016. + + [RFC3446] Kim, D., Meyer, D., Kilmer, H., and D. Farinacci, "Anycast + Rendevous Point (RP) mechanism using Protocol Independent + Multicast (PIM) and Multicast Source Discovery Protocol + (MSDP)", RFC 3446, DOI 10.17487/RFC3446, January 2003, + . + + [RFC3618] Fenner, B., Ed., and D. Meyer, Ed., "Multicast Source + Discovery Protocol (MSDP)", RFC 3618, + DOI 10.17487/RFC3618, October 2003, + . + + [RFC4610] Farinacci, D. and Y. Cai, "Anycast-RP Using Protocol + Independent Multicast (PIM)", RFC 4610, + DOI 10.17487/RFC4610, August 2006, + . + + [RFC4875] Aggarwal, R., Ed., Papadimitriou, D., Ed., and S. + Yasukawa, Ed., "Extensions to Resource Reservation + Protocol - Traffic Engineering (RSVP-TE) for Point-to- + Multipoint TE Label Switched Paths (LSPs)", RFC 4875, + DOI 10.17487/RFC4875, May 2007, + . + + [RFC5015] Handley, M., Kouvelas, I., Speakman, T., and L. Vicisano, + "Bidirectional Protocol Independent Multicast + (BIDIR-PIM)", RFC 5015, DOI 10.17487/RFC5015, + October 2007, . + + [RFC5059] Bhaskar, N., Gall, A., Lingard, J., and S. Venaas, + "Bootstrap Router (BSR) Mechanism for Protocol Independent + Multicast (PIM)", RFC 5059, DOI 10.17487/RFC5059, + January 2008, . + + + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 62] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + + [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an + IANA Considerations Section in RFCs", BCP 26, RFC 5226, + DOI 10.17487/RFC5226, May 2008, + . + + [RFC6388] Wijnands, IJ., Ed., Minei, I., Ed., Kompella, K., and B. + Thomas, "Label Distribution Protocol Extensions for Point- + to-Multipoint and Multipoint-to-Multipoint Label Switched + Paths", RFC 6388, DOI 10.17487/RFC6388, November 2011, + . + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 63] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +Acknowledgments + + The authors wish to thank DP Ayyadevara, Robert Kebler, Padmini + Misra, Rayen Mohanty, Maria Napierala, Karthik Subramanian, and Kurt + Windisch for their contributions to this work. + + We also wish to thank Lizhong Jin and Rishabh Parekh for their + reviews and comments. + + Special thanks to Jeffrey (Zhaohui) Zhang for his careful review and + for providing the ASCII art appearing in Section 2. + +Contributors + + Below is a list of other contributing authors, in alphabetical order: + + Wim Henderickx + Nokia + Copernicuslaan 50 + Antwerp 2018 + Belgium + + Email: wim.henderickx@nokia.com + + + Praveen Muley + Nokia + + Email: Praveen.Muley@nokia.com + + + Ray Qiu + Juniper Networks, Inc. + 1194 North Mathilda Avenue + Sunnyvale, CA 94089 + United States + + Email: rqiu@juniper.net + + + IJsbrand Wijnands + Cisco Systems, Inc. + De Kleetlaan 6a + Diegem 1831 + Belgium + + Email: ice@cisco.com + + + + +Rekhter, et al. Standards Track [Page 64] + +RFC 7900 Extranet Multicast in BGP/IP MPLS VPNs June 2016 + + +Authors' Addresses + + Yakov Rekhter (editor) + Juniper Networks, Inc. + 1194 North Mathilda Avenue + Sunnyvale, CA 94089 + United States + + + Eric C. Rosen (editor) + Juniper Networks, Inc. + 10 Technology Park Drive + Westford, Massachusetts 01886 + United States + + Email: erosen@juniper.net + + + Rahul Aggarwal + Arktan + + Email: raggarwa_1@yahoo.com + + + Yiqun Cai + Alibaba Group + 400 S El Camino Real #400 + San Mateo, CA 94402 + United States + + Email: yiqun.cai@alibaba-inc.com + + + Thomas Morin + Orange + 2 Avenue Pierre-Marzin + 22307 Lannion Cedex + France + + Email: thomas.morin@orange.com + + + + + + + + + + + +Rekhter, et al. Standards Track [Page 65] + -- cgit v1.2.3