RFC 9161 | EVPN Proxy ARP/ND | January 2022 |
Rabadan, et al. | Standards Track | [Page] |
This document describes the Ethernet Virtual Private Network (EVPN) Proxy ARP/ND function augmented by the capability of the ARP/ND Extended Community. From that perspective, this document updates the EVPN specification to provide more comprehensive documentation of the operation of the Proxy ARP/ND function. The EVPN Proxy ARP/ND function and the ARP/ND Extended Community help operators of Internet Exchange Points, Data Centers, and other networks deal with IPv4 and IPv6 address resolution issues associated with large Broadcast Domains by reducing and even suppressing the flooding produced by address resolution in the EVPN network.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9161.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
As specified in [RFC7432], the IP Address field in the Ethernet Virtual Private Network (EVPN) Media Access Control (MAC) / IP Advertisement route may optionally carry one of the IP addresses associated with the MAC address. A Provider Edge (PE) may learn local IP->MAC pairs and advertise them in EVPN MAC/IP Advertisement routes. Remote PEs importing those routes in the same Broadcast Domain (BD) may add those IP->MAC pairs to their Proxy ARP/ND tables and reply to local ARP Requests or Neighbor Solicitations (or "unicast-forward" those packets to the owner MAC), reducing and even suppressing, in some cases, the flooding in the EVPN network.¶
EVPN and its associated Proxy ARP/ND function are extremely useful in Data Centers (DCs) or Internet Exchange Points (IXPs) with large Broadcast Domains, where the amount of ARP/ND flooded traffic causes issues on connected routers and Customer Edges (CEs). [RFC6820] describes the address resolution problems in large DC networks.¶
This document describes the Proxy ARP/ND function in [RFC7432] networks, augmented by the capability of the ARP/ND Extended Community [RFC9047]. From that perspective, this document updates [RFC7432].¶
Proxy ARP/ND may be implemented to help IXPs, DCs, and other operators deal with the issues derived from address resolution in large Broadcast Domains.¶
As described in [RFC6820], the IPv4 and IPv6 address resolution can create a lot of issues in large DCs. In particular, the issues created by IPv4 Address Resolution Protocol procedures may be significant.¶
On one hand, ARP Requests use broadcast MAC addresses; therefore, any Tenant System in a large Broadcast Domain will see a large amount of ARP traffic, which is not addressed to most of the receivers.¶
On the other hand, the flooding issue becomes even worse if some Tenant Systems disappear from the Broadcast Domain, since some implementations will persistently retry sending ARP Requests. As [RFC6820] states, there are no clear requirements for retransmitting ARP Requests in the absence of replies; hence, an implementation may choose to keep retrying endlessly even if there are no replies.¶
The amount of flooding that address resolution creates can be mitigated by the use of EVPN and its Proxy ARP/ND function.¶
The implementation described in this document is especially useful in IXP networks.¶
A typical IXP provides access to a large Layer 2 Broadcast Domain for peering purposes (referred to as "the peering network"), where (hundreds of) Internet routers are connected. We refer to these Internet routers as CE devices in this section. Because of the requirement to connect all routers to a single Layer 2 network, the peering networks use IPv4 addresses in length ranges from /21 to /24 (and even bigger for IPv6), which can create very large Broadcast Domains. This peering network is transparent to the CEs and therefore floods any ARP Requests or NS messages to all the CEs in the network. Gratuitous ARP and NA messages are flooded to all the CEs too.¶
In these IXP networks, most of the CEs are typically peering routers and roughly all the Broadcast, Unknown Unicast, and Multicast (BUM) traffic is originated by the ARP and ND address resolution procedures. This ARP/ND BUM traffic causes significant data volumes that reach every single router in the peering network. Since the ARP/ND messages are processed in "slow path" software processors and they take high priority in the routers, heavy loads of ARP/ND traffic can cause some routers to run out of resources. CEs disappearing from the network may cause address resolution explosions that can make a router with limited processing power fail to keep BGP sessions running.¶
The issue might be better in IPv6 routers if Multicast Listener Discovery (MLD) snooping was enabled, since ND uses an SN-multicast address in NS messages; however, ARP uses broadcast and has to be processed by all the routers in the network. Some routers may also be configured to broadcast periodic Gratuitous ARPs (GARPs) [RFC5227]. For IPv6, the fact that IPv6 CEs have more than one IPv6 address contributes to the growth of ND flooding in the network. The amount of ARP/ND flooded traffic grows linearly with the number of IXP participants; therefore, the issue can only grow worse as new CEs are added.¶
In order to deal with this issue, IXPs have developed certain solutions over the past years. While these solutions may mitigate the issues of address resolution in large broadcast domains, EVPN provides new more efficient possibilities to IXPs. EVPN and its Proxy ARP/ND function may help solve the issue in a distributed and scalable way, fully integrated with the PE network.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document assumes familiarity with the terminology used in [RFC7432].¶
Figure 1 illustrates an example EVPN network where the Proxy ARP/ND function is enabled.¶
When the Proxy ARP/ND function is enabled in a BD (Broadcast Domain) of the EVPN PEs, each PE creates a Proxy table specific to that BD that can contain three types of Proxy ARP/ND entries:¶
As a high-level example, the operation of the EVPN Proxy ARP/ND function in the network of Figure 1 is described below. In this example, we assume IP1, IP2, and IP3 are IPv4 addresses:¶
The PEs start adding dynamic, static, and EVPN-learned entries to their Proxy tables:¶
When CE3 sends an ARP Request asking for the MAC address of IP1, PE3 will:¶
In the same example, if we assume IP1, IP2, IP3, and IP4 are now IPv6 addresses and Proxy ARP/ND is enabled in BD1:¶
PEs will start adding entries in a similar way as they would for IPv4; however, there are some differences:¶
As PE3 learns more and more host entries in the Proxy ARP/ND table, the flooding of ARP Request messages among PEs is reduced and in some cases, it can even be suppressed. In a network where most of the participant CEs are not moving between PEs and are advertising their presence with GARPs or unsolicited-NA messages, the ARP/ND flooding among PEs, as well as the unknown unicast flooding, can practically be suppressed. In an EVPN-based IXP network, where all the entries are static, the ARP/ND flooding among PEs is in fact totally suppressed.¶
In a network where CEs move between PEs, the Proxy ARP/ND function relies on the CE signaling its new location via GARP or unsolicited-NA messages so that tables are immediately updated. If a CE moves "silently", that is, without issuing any GARP or NA message upon getting attached to the destination PE, the mechanisms described in Section 3.5 make sure that the Proxy ARP/ND tables are eventually updated.¶
The Proxy ARP/ND function can be structured in six sub-functions or procedures:¶
A Proxy ARP/ND implementation MUST at least support the Learning, Reply, Maintenance, and duplicate IP detection sub-functions. The following sections describe each individual sub-function.¶
A Proxy ARP/ND implementation in an EVPN BD MUST support dynamic and EVPN-learned entries and SHOULD support static entries.¶
Static entries are provisioned from the management plane. A static entry is configured on the PE attached to the host using the IP address in that entry. The provisioned static IP->MAC entry MUST be advertised in EVPN with an ARP/ND Extended Community where the Immutable ARP/ND Binding Flag (I) is set to 1, as per [RFC9047]. When the I Flag in the ARP/ND Extended Community is 1, the advertising PE indicates that the IP address must not be associated to a MAC other than the one included in the EVPN MAC/IP Advertisement route. The advertisement of I = 1 in the ARP/ND Extended Community is compatible with any value of the Sticky bit (S) or sequence number in the [RFC7432] MAC Mobility Extended Community. Note that the I bit in the ARP/ND Extended Community refers to the immutable configured association between the IP and the MAC address in the IP->MAC binding, whereas the S bit in the MAC Mobility Extended Community refers to the fact that the advertised MAC address is not subject to the [RFC7432] mobility procedures.¶
An entry may associate a configured static IP to a list of potential MACs, i.e., IP1->(MAC1,MAC2..MACN). Until a frame (including a local ARP/NA message) is received from the CE, the PE will not advertise any IP1->MAC in EVPN. Upon receiving traffic from the CE, the PE will check that the source MAC, e.g., MAC1, is included in the list of allowed MACs. Only in that case, the PE will activate the IP1->MAC1 and advertise only that IP1 and MAC1 in an EVPN MAC/IP Advertisement route.¶
The PE MUST create EVPN-learned entries from the received valid EVPN MAC/IP Advertisement routes containing a MAC and IP address.¶
Dynamic entries are learned in different ways depending on whether the entry contains an IPv4 or IPv6 address:¶
The PE MUST snoop the NA messages (Ethertype 0x86dd, ICMPv6 type 136) received from the CEs attached to the BD and learn dynamic entries from the Target Address and TLLA information. NA messages received from remote EVPN PEs are not snooped. A PE implementing Proxy ND as in this document MUST NOT create dynamic IP->MAC entries from NS messages because they don't contain the R Flag required by the Proxy ND reply function. See Section 3.2.1 for more information about the R Flag.¶
This document specifies an "anycast" capability that can be configured for the Proxy ND function of the PE and affects how dynamic Proxy ND entries are learned based on the O Flag of the snooped NA messages. If the O Flag is zero in the received NA message, the IP->MAC SHOULD only be learned in case the IPv6 "anycast" capability is enabled in the BD. Irrespective, an NA message with O Flag = 0 will be normally forwarded by the PE based on a MAC DA lookup.¶
The following procedure associated to the Learning sub-function is RECOMMENDED:¶
Note that if a static entry is provisioned with the same IP as an existing EVPN-learned or dynamic entry, the static entry takes precedence.¶
In case of a PE reboot, the static and EVPN entries will be re-added as soon as the PE is back online and receives all the EVPN routes for the BD. However, the dynamic entries will be gone. Due to that reason, new NS and ARP Requests will be flooded by the PE to remote PEs and dynamic entries gradually relearned again.¶
[RFC4861] describes the use of the R Flag in IPv6 address resolution:¶
The use of the R Flag in NA messages has an impact on how hosts select their default gateways when sending packets off-link, as per [RFC4861]:¶
The R and O Flags for a Proxy ARP/ND entry will be learned in the following ways:¶
Note that, typically, IP->MAC entries with O = 0 will not be learned; therefore, the Proxy ND function will reply to NS messages with NA messages that contain O = 1. However, this document allows the configuration of the "anycast" capability in the BD where the Proxy ND function is enabled. If "anycast" is enabled in the BD and an NA message with O = 0 is received, the associated IP->MAC entry will be learned with O = 0. If this "anycast" capability is enabled in the BD, duplicate IP detection must be disabled so that the PE is able to learn the same IP mapped to different MACs in the same Proxy ND table. If the "anycast" capability is disabled, NA messages with O Flag = 0 will not create a Proxy ND entry (although they will be forwarded normally); hence, no EVPN advertisement with ARP/ND Extended Community will be generated.¶
This sub-function will reply to address resolution requests/solicitations upon successful lookup in the Proxy ARP/ND table for a given IP address. The following considerations should be taken into account, assuming that the ARP Request / NS lookup hits a Proxy ARP/ND entry IP1->MAC1:¶
When replying to ARP Requests or NS messages:¶
When replying to an NS, a PE SHOULD set the Flags in the NA messages as follows:¶
For Proxy ND, a PE MUST reply to NS messages with known options with the format and options specified in [RFC4861] and MAY reply, discard, forward, or unicast-forward NS messages containing other options. An administrative choice to control the behavior for received NS messages with unknown options ("reply", "discard", "unicast-forward", or "forward") MAY be supported.¶
As discussed in Section 3.3, in some cases, the operator may want to "unicast-forward" certain ARP Requests and NS messages as opposed to reply to them. The implementation of a "unicast-forward" function is RECOMMENDED. This option can be enabled with one of the following parameters:¶
If "unicast-forward always" is enabled, the PE will perform a Proxy ARP/ND table lookup and, in case of a hit, the PE will forward the packet to the owner of the MAC found in the Proxy ARP/ND table. This is irrespective of the options carried in the ARP/ND packet. This option provides total transparency in the BD and yet reduces the amount of flooding significantly.¶
If "unicast-forward unknown-options" is enabled, upon a successful Proxy ARP/ND lookup, the PE will perform a "unicast-forward" action only if the ARP Requests or NS messages carry unknown options, as explained in Section 3.3. The "unicast-forward unknown-options" configuration allows the support of new applications using ARP/ND in the BD while still reducing the flooding.¶
Irrespective of the enabled option, if there is no successful Proxy ARP/ND lookup, the unknown ARP Request / NS message will be flooded in the context of the BD, as per Section 3.6.¶
The Proxy ARP/ND tables SHOULD follow a number of maintenance procedures so that the dynamic IP->MAC entries are kept if the owner is active and flushed (and the associated RT2 withdrawn) or if the owner is no longer in the network. The following procedures are RECOMMENDED:¶
The PE MAY send periodic refresh messages (ARP/ND "probes") to the owners of the dynamic Proxy ARP/ND entries, so that the entries can be refreshed before they age out. The owner of the IP->MAC entry would reply to the ARP/ND probe and the corresponding entry age-time reset. The periodic send-refresh timer is an administrative option and is RECOMMENDED to be a third of the age-time or a half of the age-time in scaled networks.¶
An ARP refresh issued by the PE will be an ARP Request message with the sender's IP = 0 sent from the PE's MAC SA. If the PE has an IP address in the subnet, for instance, on an Integrated Routing and Bridging (IRB) interface, then it MAY use it as a source for the ARP Request (instead of sender's IP = 0). An ND refresh will be an NS message issued from the PE's MAC SA and a Link Local Address associated to the PE's MAC.¶
The refresh request messages SHOULD be sent only for dynamic entries and not for static or EVPN-learned entries. Even though the refresh request messages are broadcast or multicast, the PE SHOULD only send the message to the attachment circuit associated to the MAC in the IP->MAC entry.¶
The age-time and send-refresh options are used in EVPN networks to avoid unnecessary EVPN RT2 withdrawals; if refresh messages are sent before the corresponding BD Bridge-Table and Proxy ARP/ND age-time for a given entry expires, inactive but existing hosts will reply, refreshing the entry and therefore avoiding unnecessary EVPN MAC/IP Advertisement withdrawals in EVPN. Both entries (MAC in the BD and IP->MAC in the Proxy ARP/ND) are reset when the owner replies to the ARP/ND probe. If there is no response to the ARP/ND probe, the MAC and IP->MAC entries will be legitimately flushed and the RT2s withdrawn.¶
The Proxy ARP/ND function implicitly helps reduce the flooding of ARP Requests and NS messages to remote PEs in an EVPN network. However, in certain use cases, the flooding of ARP/NS/NA messages (and even the unknown unicast flooding) to remote PEs can be suppressed completely in an EVPN network.¶
For instance, in an IXP network, since all the participant CEs are well known and will not move to a different PE, the IP->MAC entries for the local CEs may be all provisioned on the PEs by a management system. Assuming the entries for the CEs are all provisioned on the local PE, a given Proxy ARP/ND table will only contain static and EVPN-learned entries. In this case, the operator may choose to suppress the flooding of ARP/NS/NA from the local PE to the remote PEs completely.¶
The flooding may also be suppressed completely in IXP networks with dynamic Proxy ARP/ND entries assuming that all the CEs are directly connected to the PEs and that they all advertise their presence with a GARP/unsolicited-NA when they connect to the network. If any of those two assumptions are not true and any of the PEs may not learn all the local Proxy ARP/ND entries, flooding of the ARP/NS/NA messages from the local PE to the remote PEs SHOULD NOT be suppressed, or the address resolution process for some CEs will not be completed.¶
In networks where fast mobility is expected (DC use case), it is NOT RECOMMENDED to suppress the flooding of unknown ARP Requests / NS messages or GARPs/unsolicited-NAs. Unknown ARP Requests / NS messages refer to those ARP Requests / NS messages for which the Proxy ARP/ND lookups for the requested IPs do not succeed.¶
In order to give the operator the choice to suppress/allow the flooding to remote PEs, a PE MAY support administrative options to individually suppress/allow the flooding of:¶
The operator will use these options based on the expected behavior on the CEs.¶
The Proxy ARP/ND function MUST support duplicate IP detection as per this section so that ARP/ND-spoofing attacks or duplicate IPs due to human errors can be detected. For IPv6 addresses, CEs will continue to carry out the DAD procedures as per [RFC4862]. The solution described in this section is an additional security mechanism carried out by the PEs that guarantees IPv6 address moves between PEs are legitimate and not the result of an attack. [RFC6957] describes a solution for the IPv6 Duplicate Address Detection Proxy; however, it is defined for point-to-multipoint topologies with a split-horizon forwarding, where the "CEs" have no direct communication within the same L2 link; therefore, it is not suitable for EVPN Broadcast Domains. In addition, the solution described in this section includes the use of the AS-MAC for additional security.¶
ARP/ND spoofing is a technique whereby an attacker sends "fake" ARP/ND messages onto a Broadcast Domain. Generally, the aim is to associate the attacker's MAC address with the IP address of another host causing any traffic meant for that IP address to be sent to the attacker instead.¶
The distributed nature of EVPN and Proxy ARP/ND allows the easy detection of duplicated IPs in the network in a similar way to the MAC duplication detection function supported by [RFC7432] for MAC addresses.¶
Duplicate IP detection monitors "IP-moves" in the Proxy ARP/ND table in the following way:¶
In order to detect the duplicate IP faster, the PE SHOULD send a Confirm message to the former owner of the IP. A Confirm message is a unicast ARP Request / NS message sent by the PE to the MAC addresses that previously owned the IP, when the MAC changes in the Proxy ARP/ND table. The Confirm message uses a sender's IP 0.0.0.0 in case of ARP (if the PE has an IP address in the subnet, then it MAY use it) and an IPv6 Link Local Address in case of NS. If the PE does not receive an answer within a given time, the new entry will be confirmed and activated. The default RECOMMENDED time to receive the confirmation is 30 seconds. In case of spoofing, for instance, if IP1->MAC1 moves to IP1->MAC2, the PE may send a unicast ARP Request / NS message for IP1 with MAC DA = MAC1 and MAC SA = PE's MAC. This will force the legitimate owner to respond if the move to MAC2 was spoofed and make the PE issue another Confirm message, this time to MAC DA = MAC2. If both, the legitimate owner and spoofer keep replying to the Confirm message. The PE would then detect the duplicate IP within the M-second timer, and a response would be triggered as follows:¶
Upon detecting a duplicate IP situation:¶
The values of M, N, and HOLD-DOWN timer SHOULD be a configurable administrative option to allow for the required flexibility in different scenarios.¶
For Proxy ND, the duplicate IP detection described in this section SHOULD only monitor IP moves for IP->MACs learned from NA messages with O Flag = 1. NA messages with O Flag = 0 would not override the ND cache entries for an existing IP; therefore, the procedure in this section would not detect duplicate IPs. This duplicate IP detection for IPv6 SHOULD be disabled when the IPv6 "anycast" capability is activated in a given BD.¶
The solution described in this document provides the following benefits:¶
Four deployment scenarios with different levels of ARP/ND control are available to operators using this solution depending on their requirements to manage ARP/ND: all dynamic learning, all dynamic learning with Proxy ARP/ND, hybrid dynamic learning and static provisioning with Proxy ARP/ND, and all static provisioning with Proxy ARP/ND.¶
In this scenario for minimum security and mitigation, EVPN is deployed in the BD with the Proxy ARP/ND function shutdown. PEs do not intercept ARP/ND requests and flood all requests issued by the CEs as a conventional Layer 2 network among those CEs would suffice. While no ARP/ND mitigation is used in this scenario, the operator can still take advantage of EVPN features such as control plane learning and all-active multihoming in the peering network.¶
Although this option does not require any of the procedures described in this document, it is added as a baseline/default option for completeness. This option is equivalent to VPLS as far as ARP/ND is concerned. The options described in Sections 5.2, 5.3, and 5.4 are only possible in EVPN networks in combination with their Proxy ARP/ND capabilities.¶
This scenario minimizes flooding while enabling dynamic learning of IP->MAC entries. The Proxy ARP/ND function is enabled in the BDs of the EVPN PEs so that the PEs snoop ARP/ND messages issued by the CEs and respond to CE ARP Requests / NS messages.¶
PEs will flood requests if the entry is not in their Proxy table. Any unknown source IP->MAC entries will be learned and advertised in EVPN, and traffic to unknown entries is discarded at the ingress PE.¶
This scenario makes use of the Learning, Reply, and Maintenance sub-functions, with an optional use of the Unicast-forward and duplicate IP detection sub-functions. The Flood handling sub-function uses default flooding for unknown ARP Requests / NS messages.¶
Some IXPs and other operators want to protect particular hosts on the BD while allowing dynamic learning of CE addresses. For example, an operator may want to configure static IP->MAC entries for management and infrastructure hosts that provide critical services. In this scenario, static entries are provisioned from the management plane for protected IP->MAC addresses, and dynamic learning with Proxy ARP/ND is enabled as described in Section 5.2 on the BD.¶
This scenario makes use of the same sub-functions as in Section 5.2 but with static entries added by the Learning sub-function.¶
For a solution that maximizes security and eliminates flooding and unknown unicast in the peering network, all IP->MAC entries are provisioned from the management plane. The Proxy ARP/ND function is enabled in the BDs of the EVPN PEs so that the PEs intercept and respond to CE requests. Dynamic learning and ARP/ND snooping is disabled so that ARP Requests and NS messages to unknown IPs are discarded at the ingress PE. This scenario provides an operator the most control over IP->MAC entries and allows an operator to manage all entries from a management system.¶
In this scenario, the Learning sub-function is limited to static entries, the Maintenance sub-function will not require any procedures due to the static entries, and the Flood handling sub-function will completely suppress unknown ARP Requests / NS messages as well as GARP and unsolicited-NA messages.¶
Nowadays, almost all IXPs install some security rules in order to protect the peering network (BD). These rules are often called port security. Port security summarizes different operational steps that limit the access to the IXP-LAN and the customer router and controls the kind of traffic that the routers are allowed to exchange (e.g., Ethernet, IPv4, and IPv6). Due to this, the deployment scenario as described in Section 5.4, "All Static Provisioning with Proxy ARP/ND", is the predominant scenario for IXPs.¶
In addition to the "All Static Provisioning" behavior, in IXP networks it is recommended to configure the Reply sub-function to "discard" ARP Requests / NS messages with unrecognized options.¶
At IXPs, customers usually follow a certain operational life cycle. For each step of the operational life cycle, specific operational procedures are executed.¶
The following describes the operational procedures that are needed to guarantee port security throughout the life cycle of a customer with focus on EVPN features:¶
A new customer is connected the first time to the IXP:¶
Before the connection between the customer router and the IXP-LAN is activated, the MAC of the router is allowlisted on the IXP's switch port. All other MAC addresses are blocked. Pre-defined IPv4 and IPv6 addresses of the IXP peering network space are configured at the customer router. The IP->MAC static entries (IPv4 and IPv6) are configured in the management system of the IXP for the customer's port in order to support Proxy ARP/ND.¶
In case a customer uses multiple ports aggregated to a single logical port (LAG), some vendors randomly select the MAC address of the LAG from the different MAC addresses assigned to the ports. In this case, the static entry will be used and associated to a list of allowed MACs.¶
Replacement of customer router:¶
If a customer router is about to be replaced, the new MAC address(es) must be installed in the management system in addition to the MAC address(es) of the currently connected router. This allows the customer to replace the router without any active involvement of the IXP operator. For this, static entries are also used. After the replacement takes place, the MAC address(es) of the replaced router can be removed.¶
Decommissioning a customer router:¶
If a customer router is decommissioned, the router is disconnected from the IXP PE. Right after that, the MAC address(es) of the router and IP->MAC bindings can be removed from the management system.¶
DCs normally have different requirements than IXPs in terms of Proxy ARP/ND. Some differences are listed below:¶
The security considerations of [RFC7432] and [RFC9047] apply to this document too. Note that EVPN does not inherently provide cryptographic protection (including confidentiality protection).¶
The procedures in this document reduce the amount of ARP/ND message flooding, which in itself provides a protection to "slow path" software processors of routers and Tenant Systems in large BDs. The ARP/ND requests that are replied to by the Proxy ARP/ND function (hence not flooded) are normally targeted to existing hosts in the BD. ARP/ND requests targeted to absent hosts are still normally flooded; however, the suppression of unknown ARP Requests and NS messages described in Section 3.6 can provide an additional level of security against ARP Requests / NS messages issued to non-existing hosts.¶
While the unicast-forward and/or flood suppression sub-functions provide an added security mechanism for the BD, they can also increase the risk of blocking the service for a CE if the EVPN PEs cannot provide the ARP/ND resolution that the CE needs.¶
The solution also provides protection against Denial-of-Service (DoS) attacks that use ARP/ND spoofing as a first step. The duplicate IP detection and the use of an AS-MAC as explained in Section 3.7 protects the BD against ARP/ND spoofing.¶
The Proxy ARP/ND function specified in this document does not allow for the learning of an IP address mapped to multiple MAC addresses in the same table unless the "anycast" capability is enabled (and only in case of Proxy ND). When "anycast" is enabled in the Proxy ND function, the number of allowed entries for the same IP address MUST be limited by the operator to prevent DoS attacks that attempt to fill the Proxy ND table with a significant number of entries for the same IP.¶
This document provides some examples and guidelines that can be used by IXPs in their EVPN BDs. When EVPN and its associated Proxy ARP/ND function are used in IXP networks, they provide ARP/ND security and mitigation. IXPs must still employ additional security mechanisms that protect the peering network as per the established BCPs such as the ones described in [EURO-IX-BCP]. For example, IXPs should disable all unneeded control protocols and block unwanted protocols from CEs so that only IPv4, ARP, and IPv6 Ethertypes are permitted on the peering network. In addition, port security features and ACLs can provide an additional level of security.¶
Finally, it is worth noting that the Proxy ARP/ND solution in this document will not work if there is a mechanism securing ARP/ND exchanges among CEs because the PE is not able to secure the "proxied" ND messages.¶
This document has no IANA actions.¶
The authors want to thank Ranganathan Boovaraghavan, Sriram Venkateswaran, Manish Krishnan, Seshagiri Venugopal, Tony Przygienda, Robert Raszuk, and Iftekhar Hussain for their review and contributions. Thank you to Oliver Knapp as well for his detailed review.¶
In addition to the authors listed on the front page, the following coauthors have also contributed to this document:¶