]> Cisco

pbrisset@cisco.com

Cisco

sajassi@cisco.com

Cisco

lburdet@cisco.com

Independent

je_drake@yahoo.com

Nokia

jorge.rabadan@nokia.com

General BESS Working Group EVPN Designated Forwarder Convergence Recovery The Ethernet Virtual Private Network (EVPN) solution in RFC 7432 provides Designated Forwarder (DF) election procedures for multihomed Ethernet Segments. These procedures have been enhanced further by applying the Highest Random Weight (HRW) algorithm for Designated Forwarder election to avoid unnecessary DF status changes upon a failure. This document improves these procedures by providing a fast Designated Forwarder election upon recovery of the failed link or node associated with the multihomed Ethernet Segment. This document updates RFC 8584 by optionally introducing delays between some of the events therein. The solution is independent of the number of EVPN Instances (EVIs) associated with that Ethernet Segment and it is performed via a simple signaling in BGP between the recovered node and each of the other nodes in the multihoming group.

The Ethernet Virtual Private Network (EVPN) solution is widely used in data center (DC) applications for Network Virtualization Overlay (NVO) and DC interconnect (DCI) services, and in service provider (SP) applications for next generation virtual private LAN services. describes Designated Forwarder (DF) election procedures for multihomed Ethernet Segments. These procedures are enhanced further in by applying the Highest Random Weight algorithm for DF election in order to avoid unnecessary DF status changes upon a link or node failure associated with the multihomed Ethernet Segment. This document makes further improvements to the DF election procedures in by providing an option for a fast DF election upon recovery of the failed link or node associated with the multihomed Ethernet Segment. This DF election is achieved independent of the number of EVPN Instances (EVIs) associated with that Ethernet Segment and it is performed via straightforward signaling in BGP between the recovered node and each of the other nodes in the multihomed Ethernet Segment redundancy group.
This document updates the DF Election Finite State Machine (FSM) described in , by optionally introducing delays between some events, as further detailed in . The solution is based on a simple one-way signaling mechanism.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

PE:

Provider Edge device.

Designated Forwarder (DF):

A PE that is currently forwarding (encapsulating/decapsulating) traffic for a given VLAN in and out of a site.

NDF:

Non-Designated Forwarder, a PE that is currently blocking traffic (see DF above).

EVI:

An EVPN instance spanning the Provider Edge (PE) devices participating in that EVPN.

HRW:

Highest Random Weight algorithm,

Service carving:

DF Election is also referred to as "service carving" in

SCT:

Service Carving Timestamp, defined in this document, the time at which all nodes participating in an Ethernet Segment perform DF Election.

In EVPN technology, multiple Provider Edge (PE) devices have the ability to encapsulate and decapsulate data belonging to the same VLAN. Under certain conditions, this may cause duplicated Ethernet packets and potential loops if there is a momentary overlap in forwarding roles between two or more PE devices, potentially also leading to broadcast storms of frames forwarded back into the VLAN. EVPN currently specifies timer-based synchronization among PE devices within a Ethernet Segment redundancy group. This approach can lead to duplications and potential loops due to multiple Designated Forwarders (DFs) if the timer interval is too short, or to packet drops if the timer interval is too long. Split-horizon filtering, as described in , can prevent loops but does not address duplicates. However, if there are overlapping Designated Forwarders of two different sites simultaneously for the same VLAN, the site identifier will differ when the packet re-enters the Ethernet Segment. Consequently, the split-horizon check will fail, resulting in layer-2 loops. The updated DF procedures outlined in use the well-known Highest Random Weight (HRW) algorithm to prevent the reshuffling of VLANs among PE devices within the Ethernet Segment redundancy group during failure or recovery events. This approach minimizes the impact on VLANs not assigned to the failed or recovered ports and eliminates the occurrence of loops or duplicates during such events. However, upon PE insertion or a port being newly added to a multihomed Ethernet Segment, HRW cannot help either as a transfer of DF role to the new port must occur while the old DF is still active.

In , when PE2 is inserted in the Ethernet Segment or its CE1-facing interface recovered, PE1 will transfer the DF role of some VLANs to PE2 to achieve load balancing. However, because there is no handshake mechanism between PE1 and PE2, overlapping of DF roles for a given VLAN is possible which leads to duplication of traffic as well as layer-2 loops. Current EVPN specifications and rely on a timer-based approach for transferring the DF role to the newly inserted device. This can cause the following issues:

• Loops/Duplicates if the timer value is too short
• Prolonged Traffic Blackholing if the timer value is too long

The clock-synchronization solution for fast DF recovery presented in this document follows several design principles and offers multiple advantages, namely:

• Complex handshake signaling mechanisms and state machines are avoided in favor of a simple uni-directional signaling approach.
• The fast DF recovery solution maintains backwards-compatibility (see ) by ensuring that PEs reject any unrecognized new BGP EVPN Extended Community.
• Existing DF Election algorithms remain supported.
• The fast DF recovery solution is independent of any BGP delays in propagation of Ethernet Segment routes (Route Type 4)
• The fast DF recovery solution is agnostic of the actual time synchronization mechanism used, however, an NTP-based representation of time is used for EVPN signaling.

The fast DF recovery solution relies on the concept of common clock alignment between partner PEs participating in a common Ethernet Segment, i.e., PE1 and PE2 in . The main idea is to have all peering PEs of that Ethernet Segment perform DF election, and apply the result at the same pre-announced time. The DF Election procedure, as described in and as optionally signaled in , is applied. All PEs attached to a given Ethernet Segment are clock-synchronized using a networking protocol for clock synchronization (e.g., NTP, PTP). Whenever possible, recovery activities for failed PEs SHOULD NOT be initiated until after the clock synchronization operations have converged to benefit from this document's fast DF recovery procedures. When a new PE is inserted in an Ethernet Segment or a failed PE of the Ethernet Segment recovers, that PE communicates to peering partners the current time plus the value of the timer for partner discovery from step 2 in . This constitutes an "end time" or "absolute time" as seen from the local PE. That absolute time is called the "Service Carving Time" (SCT). A new BGP EVPN Extended Community, the Service Carving Timestamp is advertised along with the Ethernet Segment Route Type 4 (RT-4) and communicates the Service Carving Time to other partners to ensure an orderly transfer of forwarding duties. Upon receipt of the new BGP EVPN Extended Community, partner PEs can determine the service carving time of the newly inserted PE. To eliminate any potential for duplicate traffic or loops, the concept of skew is introduced: a small time offset to ensure a controlled and orderly transition when multiple Provider Edge (PE) devices are involved. The receiving partner PEs subtract a skew (default = 10ms) to the Service Carving Time to enforce this mechanism. The previously inserted PE(s) must perform service carving first for NDF to DF transitions, followed shortly by the NDF to DF transitions on both PEs, after the specified skew delay. On the recovering PE, all services are already in NDF state and no skew for DF to NDF transitions is required. To summarize, all peering PEs perform service carving almost simultaneously at the time announced by the newly added/recovered PE. The newly inserted PE initiates the SCT, and triggers service carving immediately on its local timer expiry. The previously inserted PE(s) receiving Ethernet Segment route (RT-4) with an SCT BGP extended community, perform service carving shortly before Service Carving Time for DF to NDF transitions, and at Service Carving Time for NDF to DF transitions.

A new BGP extended community is defined to communicate the Service Carving Timestamp for each Ethernet Segment. A new transitive extended community where the Type field is 0x06, and the Sub-Type is 0x0F is advertised along with the Ethernet Segment route. The expected Service Carving Time is encoded as an 8-octet value as follows:

The timestamp exchanged uses the NTP prime epoch of January 1, 1900 and an adapted form of the 64-bit NTP Timestamp Format. The NTP Era value is not exchanged and participating PEs may consider the timestamps to be in the same Era as their local value. A DF Election operation occurring exactly at the Era transition boundary some time in 2036 is outside of the scope of this document.
The 64-bit NTP Timestamp Format consists of a 32-bit part for Seconds and a 32-bit part for Fraction, which are encoded in the Service Carving Time as follows:

• Timestamp Seconds: 32-bit NTP seconds are encoded in this field.
• Timestamp Fractional Seconds: the high order 16 bits of the NTP 'Fraction' field are encoded in this field.

When rebuilding a 64-bit NTP Timestamp Format using the values from a received SCT BGP extended community, the lower order 16 bits of the Fractional field are set to 0. The use of a 16-bit fractional seconds value yields adequate precision of 15 microseconds (2^-16 s). This document introduces a new flag called Time Synchronization indicated by "T" in the DF Election Capabilities registry defined in for use in DF Election Extended Community.

• Bit 3: Time Synchronization (corresponds to Bit 27 of the DF Election Extended Community). When set to 1, it indicates the desire to use Time Synchronization capability with the rest of the PEs in the Ethernet Segment.

This capability is utilized in conjunction with the agreed-upon DF Election Type. For instance, if all the PE devices in the Ethernet Segment indicate the desire to use the Time Synchronization capability and request the DF Election Type to be Highest Random Weight (HRW), then the HRW algorithm is used in conjunction with this capability. A PE which does not support the procedures set out in this document, or receives a route from another PE in which the capability is not set MUST NOT delay Designated Forwarder election as this could lead to duplicate traffic in some instances (overlapping Designated Forwarders).

This document introduces an additional delay to the events and transitions defined for the default DF election algorithm FSM in without changing the FSM state or event definitions themselves. Upon receiving a RCVD_ES message, the peering PE's Finite State Machine (FSM) transitions from the DF_DONE (indicating the DF election process was complete) state to the DF_CALC (indicating that a new DF calculation is needed) state. Due to the Service Carving Time (SCT) included in the Ethernet-Segment update, the completion of the DF_CALC state and the subsequent transition back to the DF_DONE state are delayed. This delay ensures proper synchronization and prevents conflicts. Consequently, the accompanying forwarding updates to the Designated Forwarder (DF) and Non-Designated Forwarder (NDF) states are also deferred. Item 9. in , the list "Corresponding actions when transitions are performed or states are entered/exited" is changed as follows:

9. DF_CALC on CALCULATED: Mark the election result for the VLAN or VLAN Bundle.
   1. If an SCT timestamp is present during the RCVD_ES event of Action 11, wait until the time indicated by the SCT minus skew before proceeding to step 9.3.
   2. If an SCT timestamp is present during the RCVD_ES event of Action 11, wait until the time indicated by the SCT before proceeding to step 9.4.
   3. Assume the role of NDF for the local PE concerning the VLAN or VLAN Bundle, and transition to the DF_DONE state.
   4. Assume the role of DF for the local PE concerning the VLAN or VLAN Bundle, and transition to the DF_DONE state.

This revised approach ensures proper timing and synchronization in the DF election process, avoiding conflicts and ensuring accurate forwarding updates.

Consider as an example, where initially PE2 has failed and PE1 has taken over. This scenario illustrates the problem with the DF-Election mechanism described in , specifically in the context of the timer value configured for all PEs on the Ethernet Segment. Procedure based on with the default 3 second timer in step 2:

1. Initial state: PE1 is in a steady-state and PE2 is recovering.
2. Recovery: PE2 recovers at an absolute time of t=99.
3. Advertisement: PE2 advertises RT-4, sent at t=100, to partner PE1.
4. Timer Start: PE2 starts a 3 second timer to allow the reception of RT-4 from other PE nodes.
5. Immediate carving: PE1 performs service carving immediately upon RT-4 reception, i.e., t=100 plus some BGP propagation delay.
6. Delayed Carving: PE2 performs service carving at time t=103.

favors traffic drops over duplicate traffic. With the above procedure, traffic drops will occur as part of each PE recovery sequence since PE1 transitions some VLANs to Non-Designated Forwarder (NDF) immediately upon RT-4 reception.
The timer value (default = 3 seconds) directly affects the duration of the packet drops. A shorter (or zero) timer may result in duplicate traffic or traffic loops. Procedure based on the Service Carving Time (SCT) approach:

1. Initial state: PE1 is in a steady state, and PE2 is recovering.
2. Recovery: PE2 recovers at an absolute time of t=99.
3. Timer Start: PE2 starts at t=100 a 3 second timer to allow the reception of RT-4 from other PE nodes.
4. Advertisement: PE2 advertises RT-4, sent at t=100, with a target SCT value of t=103 to partner PE1.
5. Service Carving Timer: PE1 starts the service carving timer, with the remaining time until t=103.
6. Simultaneous Carving: Both PE1 and PE2 carve at an absolute time of t=103.

To maintain the preference for minimal loss over duplicate traffic, PE1 SHOULD carve slightly before PE2 (with skew). The recovering PE2 performs both DF to NDF and NDF to DF transitions per VLAN at the timer's expiry. The original PE1, which received the SCT, applies the following:

• DF to NDF Transition(s): at t=SCT minus skew, where both PEs are NDF for the skew duration.
• NDF to DF Transition(s): at t=SCT.

This split-behavior ensures a smooth DF role transition with minimal loss. Using the SCT approach, the negative effect of the timer to allow the reception of Ethernet Segment RT-4 from other PE nodes is mitigated. Furthermore, the BGP transmission delay (from PE2 to PE1) of the ES RT-4 becomes a non-issue. The SCT approach shortens the 3-second timer window to the order of milliseconds. The peering timer is a configurable value where 3 seconds represents the default. Configuring a timer value of 0, or so small as to expire during propagation of the BGP routes, is outside the scope of this document. In reality, the use of the SCT approach presented in this documents encourages the use of larger peering timer values to overcome any sort of BGP route propagation delays.

In the eventuality 2 or more PEs in a peering Ethernet Segment group are recovering concurrently or roughly the same time, each will advertise a Service Carving Timestamp. This SCT value would correspond to what each recovering PE considers the "end time" for DF Election. A similar situation arises in sequentially recovering PEs, when a second PE recovers approximately at the time of the first PE's advertised SCT expiry, and with its own new SCT-2 outside of the initial SCT window. In the case of multiple concurrent DF elections, each initiated by one of the recovering PEs, the SCTs must be ordered chronologically. All PEs shall execute only a single DF Election at the service carving time corresponding to the largest (latest) received timestamp value. This DF Election will involve all active PEs in a unified DF Election update. Example:

1. Initial State: PE1 is in a steady state, with services elected at PE1.
2. Recovery of PE2: PE2 recovers at time t=100 and advertises RT-4 with a target SCT value of t=103 to its partners (PE1).
3. Timer Initiation by PE2: PE2 starts a 3 second timer to allow the reception of RT-4 from other PE nodes.
4. Timer Initiation by PE1: PE1 starts the service carving timer, with the remaining time until t=103.
5. Recovery of PE3: PE3 recovers at time t=102 and advertises RT-4 with a target SCT value of t=105 to its partners (PE1, PE2).
6. Timer Initiation by PE3: PE3 starts a 3 second timer to allow the reception of RT-4 from other PE nodes.
7. Timer Update by PE2: PE2 cancels the running timer and starts the service carving timer with the remaining time until t=105.
8. Timer Update by PE1: PE1 updates its service carving timer, with the remaining time until t=105.
9. Service Carving: PE1, PE2, and PE3 perform service carving at the absolute time of t=105.

In the eventuality a PE in an Ethernet Segment group recovers during the discovery window specified in , and does not support or advertise the T-bit, then all PEs in the current peering sequence SHALL immediately revert to the default behavior.

For the DF election procedures to achieve global convergence and unanimity within a redundancy group, it is essential that all participating PEs agree on the DF election algorithm to be employed. However, it is possible that some PEs may continue to use the existing modulo-based DF election algorithm from and not utilize the new Service Carving Time (SCT) BGP extended community. PEs that operate using the baseline DF election mechanism will simply discard the new SCT BGP extended community as unrecognized. A PE can indicate its willingness to support clock-synchronized carving by signaling the new 'T' DF Election Capability and including the new SCT BGP extended community along with the Ethernet Segment Route Type 4. If one or more PEs attached to the Ethernet Segment do not signal T=1, then all PEs in the Ethernet Segment SHALL revert to the timer-based approach as specified in . This reversion is particularly crucial in preventing VLAN shuffling when more than two PEs are involved. In the event a new or extra RT-4 is received without the new 'T' DF Election Capability in the midst of an ongoing DF Election sequence, all SCT-based delays are cancelled and the DF Election immediately applied as specified in , as if no SCT had been previously exchanged.

The mechanisms in this document use the EVPN control plane as defined in . Security considerations described in are equally applicable. For the new SCT Extended Community, attack vectors may be setting the value to zero, to a value in the past or to large times in the future. The procedures in this document address implicitly what occurs with a carving time in the past, as this would be a naturally occurring event with a large BGP propagation delay: the receiving PE SHALL treat the DF Election at the peer as having occurred already, and proceed without starting any timer to further delay service carving. For timestamp values in the future, a rogue PE may be advertising a value inconsistent with its local behavior. This is no different from a rogue PE setting all its DF Election results inconsistently to its peers using (or ignoring adherence to) the procedures from , and the result would similarly be duplicate or dropped traffic. It is left to implementations to decide what constitutes an "unreasonably large" SCT value. This document uses MPLS and IP-based tunnel technologies to support data plane transport. Security considerations described in and in are equally applicable.

IANA maintains the "EVPN Extended Community Sub-Types" registry set up by . IANA is requested to confirm the First Come First Served assignment as follows:

IANA maintains the "DF Election Capabilities" registry set up by . IANA is requested to make the following assignment from this registry:

In addition to the authors listed on the front page, the following co-authors have also contributed substantially to this document: Gaurav Badoni
Cisco Email: gbadoni@cisco.com Dhananjaya Rao
Cisco Email: dhrao@cisco.com

Authors would like to acknowledge helpful comments and contributions of Satya Mohanty and Bharath Vasudevan. Also thank you to Anoop Ghanwani and Gunter van de Velde for their thorough review with valuable comments and corrections.