EVPN Interworking with IPVPN

EVPN is used as a unified BGP control plane to support both intra-subnet and inter-subnet forwarding for tenant networks. In deployments where a tenant network spans multiple domains, some of which use EVPN, and others which rely on BGP VPN-IPv4/VPN-IPv6 or IPv4/IPv6 address families for inter-subnet forwarding, it becomes necessary to define interworking procedures to enable seamless end-to-end tenant connectivity across these heterogeneous domains. This document specifies procedures for interworking between EVPN and other BGP address families, including VPN-IPv4, VPN-IPv6, IPv4, and IPv6, specifically for the purpose of inter-subnet forwarding. It also addresses the interconnection of one EVPN domain with another, focusing on the propagation and handling of EVPN inter-subnet forwarding routes across such domains. To support loop prevention in scenarios where redundant gateway Provider Edges (PEs) interconnect distinct domains, this specification introduces a new BGP Path Attribute called the Domain Path (D-PATH). In topologies where multiple gateways connect domains, control plane loops may occur if routes are redistributed between domains without proper safeguards. For example, if gateway PE1 imports a VPN-IP route for a given prefix and redistributes it as an EVPN IP Prefix route into the EVPN domain, and a second gateway PE (PE2) receives this EVPN route and re-advertises it back into the IPVPN domain, a loop may form. The D-PATH attribute is designed to prevent such scenarios by providing domain-level loop detection and avoidance. The D-PATH attribute alters the BGP best path selection logic for Multiprotocol BGP routes of SAFI 128 (VPN-IPv4/IPv6) and for EVPN IP Prefix routes. Accordingly, this document updates the BGP best path selection procedures specified in , but only in the context of IPVPN and EVPN families. EVPN supports the advertisement of IPv4 or IPv6 prefixes through two route types: Route Type 2 - EVPN MAC/IP Advertisement route, as defined in , supporting host routes (i.e., /32 or /128). Route Type 5 - EVPN IP Prefix route, as defined in . When interworking with other BGP address families for inter-subnet forwarding, the IP prefixes conveyed in these EVPN route types must be propagated into corresponding address families (e.g., VPN-IP), and vice versa. Several aspects of this propagation require clarified procedures, including route selection, loop prevention, and BGP Path Attribute handling across AFI/SAFI boundaries. This document defines the concept of an Interworking PE , which is responsible for interconnecting different domains. An Interworking PE implements the following behavior: it imports routes from one domain (along with the domain-specific encapsulation parameters), installs them in an IP-VRF, and reoriginates the routes with the encapsulation attributes suitable for the adjacent domain before advertisement. This reorigination process enables the solution to operate independently of the transport encapsulation mechanisms used within each domain and serves as a service interworking function. The procedures defined herein ensure that tenant inter-subnet connectivity can be maintained across a mix of EVPN and non-EVPN domains, while preventing routing loops and maintaining protocol consistency across BGP address families.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

This section summarizes the terminology related to the "Interworking PE" concept that will be used throughout the rest of the document.

| *---------* |<--> | Eth | -------+ | | | |Eth-Tag x + |IRB1| | \ / / / Eth / \<-+ | | +----------+ | | | +------ | | | | | ... | | IP-VRF1 | | \ \ /<-+ | | +----------+ | | RD2/RT2 |MPLS/NVO tnl -------+ | | | |Bridge | | | | +------ | +-------->|Table(BT2)| |IRB2| | / \ \ | | | | *---------* |<--> | IP | ----------------------*Eth-Tag y | | +-----*-----+ \ / / | AC2 | | +----------+ | AC3| +------ | | | MAC-VRF1 | | | | +-+ RD1/RT1 | | | | +------------------+ | SAFIs | | | 1 +---+ | -------------------------------------------------+ 128 |BGP| | | EVPN +---+ | | | +-------------------------------------------------------------+ ]]> ISF SAFI: the Inter-Subnet Forwarding (ISF) Subsequent Address Family Identifier (SAFI) defines an MP-BGP Sub-Address Family used to advertise IP prefix reachability for inter-subnet forwarding within a tenant network. The SAFIs used for ISF include 1 (applicable only to IPv4 and IPv6 AFIs), 128 (applicable only to IPv4 and IPv6 AFIs), and 70 (EVPN, applicable only to AFI 25). This document uses the following terms interchangeably: ISF SAFI 1 or BGP IP, ISF SAFI 128 or IPVPN, ISF SAFI 70 or EVPN. ISF route: a route for a given prefix, whose ISF SAFI may change as it transits different domains. BGP IP routes as in , IPVPN routes as in , , EVPN IP Prefix routes as in or EVPN MAC/IP Advertisement routes when they are programmed within an IP-VRF , are considered ISF routes in this document. IP-VRF: an IP Virtual Routing and Forwarding table, as defined in . Route Distinguisher and Route Target(s) are required properties of an IP-VRF. An IP-VRF is programmed with ISF routes. MAC-VRF: a MAC Virtual Routing and Forwarding table, as defined in . A MAC-VRF represents the instantiation of an EVPN Instance (EVI) on a PE device. Each MAC-VRF is associated with a unique Route Distinguisher (RD) and one or more Route Targets (RTs), which are required attributes for its operation. These RD and RT values are typically distinct from those used by any associated IP-VRF, when such an IP-VRF is linked to the MAC-VRF through a Bridge Table via an Integrated Routing and Bridging (IRB) interface. BT: a Bridge Table, as defined in , represents the instantiation of a Broadcast Domain on a PE device. When an EVI contains a single Broadcast Domain, the associated MAC-VRF on each PE includes a single BT. In cases where multiple Broadcast Domains exist within the same MAC-VRF, each BT is associated with a distinct Ethernet Tag. EVPN routes specific to a given BT include the corresponding Ethernet Tag to indicate the Broadcast Domain to which the route pertains.Example: In , MAC-VRF1 has two BTs: BT1 and BT2. Ethernet Tag x is defined in BT1 and Ethernet Tag y in BT2. CE: Customer Edge device. Ethernet Tag: used to represent a Broadcast Domain. EVI: an EVPN instance spanning the Provider Edge devices participating in that EVPN. AC: Attachment Circuit or logical interface associated to a given BT or IP-VRF. To determine the AC on which a packet arrived, the PE will examine the combination of a physical port and VLAN tags (where the VLAN tags can be individual VLAN tags, Q-in-Q tags or ranges of both).Example: In , AC1 is associated to BT1, AC2 to BT2 and AC3 to IP-VRF1. IRB: Integrated Routing and Bridging interface. It refers to the logical interface that connects a BT to an IP-VRF and allows to forward packets with destination in a different subnet. MPLS/NVO tunnel: A tunnel that may be based on either MPLS or a Network Virtualization Overlay (NVO) technology. Such tunnels are utilized by both MAC-VRFs and IP-VRFs. Regardless of the underlying tunneling technology, the tunnel may carry either Ethernet or IP payloads. MAC-VRFs are restricted to using tunnels that carry Ethernet payloads - Ethernet NVO Tunnels - which are typically established via EVPN signaling. In contrast, IP-VRFs may utilize tunnels carrying Ethernet payloads - Ethernet NVO Tunnels , signaled via EVPN - or IP payloads - IP NVO Tunnels , signaled via EVPN or IPVPN mechanisms. IPVPN-only PE devices support IP-VRFs but do not support sending or receiving traffic over tunnels carrying Ethernet payloads.Example: illustrates the use of an MPLS or NVO-based tunnel to transport Ethernet frames associated with MAC-VRF1. The PE device identifies the corresponding MAC-VRF and BT based on the EVPN label, either an MPLS label or a Virtual Network Identifier (VNI), depending on the encapsulation type. Additionally, shows two distinct MPLS/NVO tunnels used by IP-VRF1: one tunnel transports Ethernet frames, while the other carries IP packets. This demonstrates that IP-VRFs may concurrently utilize multiple tunnel types, depending on the payload and the signaling mechanism (EVPN or IPVPN). PE: Provider Edge device. RT-2: Route Type 2 or MAC/IP route, as per . RT-5: Route Type 5 or IP Prefix route, as per . NVE: Network Virtualization Edge router. Domain: Two PEs belong to the same domain if they are attached to the same tenant and the packets exchanged between them do not require a data-path IP lookup (in the tenant space) at any transit router. A gateway PE is always configured with multiple DOMAIN-IDs. Domain boundaries are not restricted to an Autonomous System or an IGP instance. The PEs in a domain may reside within the same or in different Autonomous Systems, and a single Autonomous System may also encompass multiple domains. Example 1: depicts an example where Tenant Systems TS1 and TS2 belong to the same tenant, and they are located in different Data Centers that are connected by gateway PEs (see the gateway PE definition later). These gateway PEs use IPVPN in the WAN. When TS1 sends traffic to TS2, the intermediate routers between PE1 and PE2 require a tenant IP lookup in their IP-VRFs so that the packets can be forwarded. In this example there are three different domains. The gateway PEs connect the EVPN domains to the IPVPN domain.

<------------> <----------------> ]]> Example 2: illustrates a similar example, but PE1 and PE2 are now connected by a BGP-LU (BGP Labeled Unicast) tunnel, and they have a BGP peer relationship for EVPN. Contrary to Example 1, there is no need for tenant IP lookups on the intermediate routers in order to forward packets between PE1 and PE2. Therefore, there is only one domain in the network and PE1/PE2 belong to it.

BGP-LU <-------------------------------------------------> ASBR------------ASBR +------+ +------+ +-------------| | | |-------------+ PE1 +------+ +--+---+ PE2 +------+ DC1 | WAN | DC2 +------+ TS1-|IP-VRF| EVPN | | EVPN |IP-VRF|-TS2 +------+ ASBR ASBR +---+--+ | +------+ +------+ | +-------------| | | |-------------+ +------+ +------+ +--------------+ <--------------------DOMAIN-1---------------------> ]]> Regular Domain: a domain in which a single control plane ISF SAFI, i.e., BGP IP, IPVPN or EVPN, is used. A Regular Domain is composed of regular PEs, see below. In and , above, all domains are regular domains. Composite Domain: a domain in which multiple control plane ISF SAFIs, i.e., BGP IP, IPVPN and/or EVPN, are used and which is composed of regular PEs and composite PEs, see below. Regular PE: A PE that is attached to a domain, either regular or composite, and which uses one of the control plane protocols (BGP IP, IPVPN or EVPN) operating in the domain. Interworking PE: A PE device that is capable of advertising a given IP prefix using one or more of the following route types: an EVPN Inter-Subnet Forwarding (ISF) route, either an EVPN MAC/IP Advertisement route or an EVPN IP Prefix route-an IPVPN ISF route, or a BGP IP ISF route. An Interworking PE maintains a single IP-VRF per tenant and zero, one, or more MAC-VRFs per tenant. Each MAC-VRF may include one or more Bridge Tables (BTs), and each BT may be associated with the tenant's IP-VRF via an Integrated Routing and Bridging (IRB) interface. There are two types of Interworking PEs: Composite PE Gateway PE These two functions may be implemented independently on a per-tenant basis and may also coexist for the same tenant on a single PE.Example: shows an interworking PE of type gateway, where ISF SAFIs 1, 128 and 70 are enabled. IP-VRF1 and MAC-VRF1 are instantiated on the PE, and together provide inter-subnet forwarding for the tenant. Composite PE: An Interworking PE device that is connected to a composite domain and is capable of advertising a given prefix to multiple types of peers using appropriate route types. Specifically, a Composite PE advertises the prefix to an IPVPN peer using an IPVPN ISF route, to an EVPN peer using an EVPN ISF route, and to a route reflector using both IPVPN and EVPN ISF routes. A Composite PE implements the procedures defined in .Example: shows an example where PE1 is a composite PE since PE1 has EVPN and another ISF SAFI enabled to the same route-reflector, and PE1 advertises a given IP prefix IPn/x twice, one using EVPN and another one using ISF SAFI 128. PE2 and PE3 are not composite PEs.

|RR| <---> |PE3| +---+ +--+ IPVPN +---+ Composite ]]> Gateway PE: An Interworking PE device that connects two or more distinct domains, where each domain may be either a regular domain or a composite domain. A Gateway PE may establish either IBGP or EBGP sessions with peers in the connected domains. Depending on its configuration, the Gateway PE performs one of the following functions: Propagates ISF routes using the same ISF SAFI, such as BGP IP, IPVPN, or EVPN, between the connected domains. Translates and propagates an ISF route received with one ISF SAFI to a domain that uses a different ISF SAFI. For example, a received EVPN ISF route may be propagated as an IPVPN ISF route, and vice versa. A Gateway PE follows the procedures defined in . A gateway PE is always configured with multiple DOMAIN-IDs. These DOMAIN-IDs are encoded in the D-PATH and are included in ISF SAFI route advertisements. The structure and behavior of the D-PATH attribute are described in . Example: illustrates an example where PE1 is a gateway PE since the EVPN and IPVPN SAFIs are enabled on different BGP peers, and a given local IP prefix IPn/x is sent to both BGP peers for the same tenant. PE2 and PE1 are in one domain and PE3 and PE1 are in another domain.

|PE1| <----> |PE3| +---+ +---+ +---+ Gateway ]]> Composite/Gateway PE: An Interworking PE device that simultaneously performs the functions of both a Composite PE and a Gateway PE. This type of PE is connected to two domains: one regular domain and one composite domain. It operates as follows: Propagates an ISF route received from the regular domain into the composite domain. Within the composite domain, it performs the behavior of a Composite PE. Propagates an ISF route received from the composite domain into the regular domain. In the regular domain, the route is advertised using the ISF SAFI applicable to that domain. This functionality is particularly useful in scenarios where a tenant network spans multiple domains using different ISF SAFIs (e.g., BGP IP, IPVPN, and EVPN), and where any-to-any tenant connectivity is required. In such deployments, maintaining consistent end-to-end control plane behavior across domains is desirable when feasible.

The BGP D-PATH attribute is an optional and transitive BGP path attribute. Similar to AS_PATH, D-PATH is composed of a sequence of Domain segments. Each Domain segment is comprised of <domain segment length, domain segment value>, where the domain segment value is a sequence of one or more Domains, as illustrated in . Each domain is represented by <DOMAIN-ID:ISF_SAFI_TYPE>.

Domain Segment Length (length: 1-octet): containing the number of domains in the segment. “Last Domain” refers to the most recently added Domain, while “Domain of Origin” refers to the first Domain added by the gateway PE that initialized the D-PATH for the ISF route. Multiple Domains may exist between those Domains. DOMAIN-ID is a 6-octet field that represents a domain. It is composed of a 4-octet Global Administrator sub-field and a 2-octet Local Administrator sub-field. The Global Administrator sub-field MAY be filled with an Autonomous System Number (ASN, Public or Private), an IPv4 address, or any value that guarantees the uniqueness of the DOMAIN-ID (when the tenant network is connected to multiple Operators) and helps troubleshooting and debugging of D-PATH in ISF routes. The Local Administrator sub-field is any local 2-octet value, and its allocation or configuration is a local implementation matter. Expressing the Global Administrator and Local Administrator values as opaque unsigned integers is RECOMMENDED. ISF_SAFI_TYPE is a 1-octet field that indicates the Inter-Subnet Forwarding SAFI type in which a route was received by the gateway PE, before the route is re-exported by the gateway PE into a different domain. The ISF_SAFI_TYPE field is informational and does not have any impact on the loop detection or BGP Path selection procedures. The following types are assigned by this document: Value ISF_SAFI_TYPE 0 Gateway PE local ISF route 70 EVPN 128 SAFI 128 The BGP D-PATH attribute is supported on ISF routes of type IPVPN and EVPN and MUST NOT be advertised along with routes different from IPVPN and EVPN routes. By default, the BGP D-PATH attribute is not advertised and MUST be explicitly enabled by configuration on the Gateway PEs. In addition, D-PATH: Identifies the sequence of domains, each identified by a <DOMAIN-ID:ISF_SAFI_TYPE> through which a given ISF route of type IPVPN or EVPN has passed. This attribute list MAY contain one or more segments. Each segment's Domain Segment Length MUST be equal or greater than one. The first entry in the list (leftmost) is the <DOMAIN-ID:ISF_SAFI_TYPE> from which a gateway PE is propagating an ISF IPVPN or EVPN route. The last entry in the list (rightmost) is the <DOMAIN-ID:ISF_SAFI_TYPE> from which a gateway PE received an ISF IPVPN or EVPN route without a D-PATH attribute (the Domain of Origin). Intermediate entries in the list are domains that the ISF IPVPN or EVPN route has transited. As an example, an ISF IPVPN or EVPN route received with a D-PATH attribute containing a domain segment of {length=2, <6500:2:IPVPN>,<6500:1:EVPN>} indicates that the route was originated in EVPN domain 6500:1, and propagated into IPVPN domain 6500:2. In order to minimize the number of segments in the D-PATH attribute, the local gateway PE prepends its own domain as the last element of the domain segment. If the act of prepending a new domain causes an overflow in the domain segment (i.e., more than 255 domains), the local gateway PE MUST prepend a new segment and prepend its own domain to this new segment. Is added/modified by a gateway PE when propagating an update to a different domain (which runs the same or different ISF SAFI): A gateway PE's IP-VRF, that connects two domains, belongs to two DOMAIN-IDs, e.g. 6500:1 for EVPN and 6500:2 for IPVPN. Whenever a prefix arrives at a gateway PE in a particular ISF SAFI route, if the gateway PE needs to export that prefix to a BGP peer, the gateway PE MUST prepend a <DOMAIN-ID:ISF_SAFI_TYPE> to the list of domains in the D-PATH of the received route, as long as the gateway PE works in Uniform-Propagation-Mode, as explained in . For instance, consider an IP-VRF configured with DOMAIN-IDs 6500:1 for EVPN and 6500:2 for IPVPN. If an EVPN route for prefix P is received and P is installed in the IP-VRF, then the corresponding IPVPN route for P, when exported to an IPVPN peer, will include the domain identifier <6500:1:EVPN> prepended to the existing D-PATH attribute. Similarly, prefixes received in the IP-VRF from an IPVPN peer will be exported to EVPN peers with the domain identifier <6500:2:IPVPN> appended to the D-PATH attribute. In the above example, if the EVPN route is received without D-PATH, the gateway PE will add the D-PATH attribute with one segment {length=1, <6500:1:EVPN>} when re-advertising to domain 6500:2. Within the Domain of Origin, the update does not contain a D-PATH attribute because the update has not passed through a gateway PE yet. For a local ISF route, i.e., a configured route or a route learned from a local attachment circuit, a gateway PE following this specification has three choices: The gateway PE MAY advertise that ISF route without a D-PATH attribute into one or more of its configured domains, in which case the D-PATH attribute will be added by the other gateway PEs in each of those domains. The gateway PE MAY advertise that ISF route with a D-PATH attribute into one or more of its configured domains, in which case the D-PATH attribute in each copy of the ISF route is initialized with an ISF_SAFI_TYPE of 0 and the DOMAIN-ID of the domain with which the ISF route is associated. The gateway PE MAY advertise the ISF route with a D-PATH attribute containing a locally configured domain identifier associated with its local ISF routes into one or more of its configured domains. In this case, the D-PATH attribute in each copy of the ISF route is initialized with an ISF_SAFI_TYPE value of 0 and the DOMAIN-ID representing the local ISF domain. The DOMAIN-ID MUST be globally unique and MAY be shared across multiple gateway PEs. Although all three options provide mechanisms for detecting control plane loops, this third option is RECOMMENDED, as it conveys additional information about the origin of the route. Specifically, it allows the receiving PE to identify the route as having originated from a local gateway, based on the combination of the DOMAIN-ID and the ISF_SAFI_TYPE value. An ISF route of type IPVPN or EVPN received by a Gateway PE that includes a D-PATH attribute containing one or more DOMAIN-ID values locally associated with the corresponding IP-VRF MUST be considered a looped ISF route for the purposes of re-advertisement into adjacent domains. In such cases: The ISF route MUST be flagged as "looped". The route MUST NOT be re-exported to any other domain. The route MAY be installed in the IP-VRF only if it is selected as the best path according to the procedures defined in . For the purpose of loop detection, the ISF_SAFI_TYPE value associated with a DOMAIN-ID in the D-PATH attribute is irrelevant. That is, a route is considered looped if it contains at least one DOMAIN-ID that matches any local DOMAIN-ID configured on the Gateway PE, regardless of the ISF_SAFI_TYPE value.Example: In the scenario illustrated in , gateway GW1 receives two ISF routes for the same prefix associated with TS1: An EVPN IP Prefix route with a next-hop of PE1, and no D-PATH attribute. A SAFI 128 (IPVPN) route with a next-hop of GW2, and a D-PATH attribute containing a single segment: {length=1, <6500:1:EVPN>}, where 6500:1 is assumed to be the DOMAIN-ID for domain 1, which is local to GW1. Upon receiving the SAFI 128 route, GW1 identifies 6500:1 as a locally configured DOMAIN-ID, and therefore flags the route as "looped". As a result, GW1 does not install this route in the tenant IP-VRF, because the route selection process prefers the EVPN IP Prefix route (due to its shorter D-PATH attribute, as specified in ). Loop detection is applied even if the ISF_SAFI_TYPE value in the D-PATH attribute is unknown to GW1 or does not match any SAFI defined in this specification. A DOMAIN-ID configured on a gateway PE MAY be assigned at either the peering domain level or scoped individually per tenant IP-VRF. When the DOMAIN-ID is allocated at the peering domain level, it SHALL apply to all tenant IP-VRFs associated with that domain. When the DOMAIN-ID is allocated for a specific tenant IP-VRF, the processing of received D-PATH attributes and their subsequent propagation SHALL be performed in the context of that IP-VRF's DOMAIN-ID. A per tenant IP-VRF DOMAIN-ID assignment is particularly useful in scenarios involving route leaking. For example, consider two gateway PEs, PE1 and PE2, both associated with different tenant IP-VRFs, denoted as IP-VRF-1 and IP-VRF-2. If PE1 advertises ISF SAFI routes for IP-VRF-1 with a DOMAIN-ID of 6500:1, and these routes are received on PE2 and subsequently leaked from IP-VRF-1 into IP-VRF-2, the re-advertisement of the routes from PE2 back to PE1 in the context of IP-VRF-2 will not be considered looped by PE1. This is because PE1 processes the route in the context of IP-VRF-2, for which DOMAIN-ID 6500:1 is not locally configured. The number of domains encoded in the D-PATH attribute reflects the number of Gateway PEs that the corresponding ISF route update has traversed. If a transit Gateway PE performs route leaking between two local tenant IP-VRFs, it MAY prepend a domain segment to the D-PATH attribute with an ISF_SAFI_TYPE value of 0 when exporting the leaked route into an ISF SAFI. In such cases, the total number of domain entries in the D-PATH attribute represents the number of tenant IP-VRFs through which the ISF route update has propagated. The following error-handling procedures apply to the D-PATH Path Attribute: A received D-PATH attribute MUST be considered malformed if it contains a malformed Domain Segment. A Domain Segment MUST be considered malformed under any of the following conditions: The length of the Domain Segment is zero. The length of the Domain Segment exceeds the remaining length of the enclosing D-PATH attribute. Fewer than eight octets remain after the last successfully parsed Domain Segment. The total length of the D-PATH attribute is less than eight octets. Each Domain Segment consists of a one-octet length field indicating the number of Domains in the segment, with each Domain encoded in seven octets. If the total length of the Domain Segment (i.e., 1 + 7 × number of Domains) exceeds the remaining length of the D-PATH attribute, the Domain Segment is considered malformed. A BGP speaker receiving an UPDATE message containing a malformed D-PATH attribute SHALL apply the "treat-as-withdraw" procedure, as specified in . Domains within the D-PATH attribute that contain unrecognized ISF_SAFI_TYPE values MAY be accepted and MUST NOT be considered an error. The D-PATH Path Attribute MUST NOT appear more than once in the Path Attributes of a given BGP UPDATE message. If multiple instances of the D-PATH attribute are present, all instances other than the first MUST be discarded, and the UPDATE message MUST continue to be processed, as per . The D-PATH Path Attribute MAY be included only in UPDATE messages that carry routes of SAFI 128 (IPVPN) or EVPN. It MUST NOT be included with any other AFI/SAFI combinations. If a D-PATH attribute is received in an UPDATE message associated with an unsupported AFI/SAFI, the "treat-as-withdraw" procedure MUST be applied, in accordance with . The use of the D-PATH attribute is restricted to "walled garden" Virtual Private Network (VPN) deployments. An operator MUST NOT enable the generation of D-PATH attributes in conjunction with IPVPN and/or EVPN routes if any CE devices connected to a PE device, belonging to any domain within the VPN, is also connected to the public Internet.Furthermore, a gateway PE MUST support the ability to remove the D-PATH attribute upon route import and export, as determined by local configuration.

A Gateway PE device, depending on its local configuration, is required to propagate an ISF route between two domains that utilize either the same or different ISF SAFIs. This requires defining how a Gateway PE handles the BGP Path Attributes associated with the ISF route during such propagation. This section specifies the BGP Path Attribute propagation behaviors that a Gateway PE MAY apply when it receives an ISF route with ISF SAFI x, installs the route into the relevant IP-VRF, and subsequently re-advertises the route as an ISF route using ISF SAFI y. The values of ISF SAFI x and SAFI y MAY be the same or different.

The No-Propagation Mode is the default operational mode for Gateway PEs when re-exporting ISF routes from one domain into another. In this mode, the Gateway PE re-initializes the BGP Path Attributes during the propagation of an ISF route, treating it in the same manner as a directly connected or locally originated IP prefix. This mode is suitable for deployment scenarios where the source domain-for example, an EVPN domain is "abstracted" and treated as a virtual CE, and where remote IPVPN or IP-based PEs do not require the original EVPN-specific BGP Path Attributes for path selection or policy evaluation. It is important to note that, in No-Propagation Mode, the D-PATH attribute is not propagated. As a result, redundant Gateway PEs may be susceptible to routing loops. While such loops may be mitigated using routing policies or additional attributes, such as the Route Origin extended community , this approach does not guarantee detection or prevention of all potential loop scenarios.

In Uniform Propagation Mode, the Gateway PE retains and propagates a consistent set of commonly used BGP Path Attributes when re-advertising an ISF route between domains. This mode is typically employed in deployments where IP prefixes are seamlessly distributed using both EVPN and IPVPN SAFIs. The following normative behavior MUST be followed by a Gateway PE operating in Uniform Propagation Mode: Upon receiving an ISF route, the gateway PE imports the route into the associated IP-VRF and stores the original BGP Path Attributes. When advertising the route into a different domain, the gateway PE SHOULD propagate only the following set of attributes. All other Path Attributes SHOULD NOT be propagated: AS_PATH D-PATH (only when advertising IPVPN [SAFI 128] or EVPN routes) IBGP-only attributes (when advertising to IBGP peers): LOCAL_PREF, ORIGINATOR_ID, CLUSTER_ID MULTI_EXIT_DISC (MED) AIGP COMMUNITY, EXTENDED_COMMUNITY, LARGE_COMMUNITY, and WIDE_COMMUNITY (as defined in ), except where explicitly excluded in Item 4 below. When re-advertising an ISF route to an IBGP peer, the gateway PE SHOULD preserve the AS_PATH of the original ISF route without modification. When re-advertising to an EBGP peer, the Gateway PE SHOULD prepend the IP-VRF's ASN to the preserved AS_PATH. When propagating an ISF route to IBGP peers, the gateway PE SHOULD retain IBGP-only attributes (e.g., LOCAL_PREF, ORIGINATOR_ID, CLUSTER_ID) from the original ISF route. As the route is re-originated, the gateway PE is not required to perform the route reflector function described in . As stated in Item 1, the gateway PE SHOULD preserve the COMMUNITY, EXTENDED_COMMUNITY, LARGE_COMMUNITY, and WIDE_COMMUNITY attributes from the original ISF route. However, the following Extended Community types SHOULD NOT be propagated:: BGP Encapsulation Extended Communities, as defined in . Route Target Extended Communities. Route Targets MUST NOT be propagated and MUST be re-initialized when re-advertising the ISF route into a different domain. The re-initialized Route Target value MAY or MAY NOT match the value used in the original route. All EVPN-specific Extended Communities. The Gateway PE SHOULD NOT copy the above Extended Community types from the original ISF route into the re-advertised ISF route. For a given ISF route, only the BGP Path Attributes associated with the best path MAY be propagated when re-advertising the route into a different domain. If multiple paths are received for the same prefix within the same ISF SAFI, the standard BGP best path selection procedure MUST be applied to determine the active path and its associated attributes. Even when Equal-Cost Multi-Path (ECMP) is enabled for the IP-VRF, only the Path Attributes of the selected best path SHALL be propagated.

Instead of propagating a high number of (host) ISF routes between domains, a gateway PE that receives multiple ISF routes from a domain MAY choose to propagate a single ISF aggregate route into a different domain. In this document, aggregation is used to combine the characteristics of multiple ISF routes in such way that a single aggregate ISF route can be propagated to the destination domain. Aggregation of multiple ISF routes of one ISF SAFI into an aggregate ISF route is only done by a gateway PE. Aggregation on gateway PEs may use either the No-Propagation-Mode or the Uniform-Propagation-Mode explained in and , respectively. When using Uniform-Propagation-Mode, Path Attributes of the same type code MAY be aggregated according to the following rules: AS_PATH is aggregated based on the rules in . The gateway PEs are not expected to receive AS_PATH attributes with path segments of type AS_SET . Routes received with AS_PATH attributes including AS_SET path segments MUST NOT be aggregated. An ISF aggregate route SHOULD NOT be advertised unless all the contributing ISF routes have the same D-PATH DOMAIN-ID members, regardless of their order. If there is at least one contributing ISF route that has a different D-PATH DOMAIN-ID, the gateway PE SHOULD advertise each contributing ISF route with its own D-PATH (prepended with the gateway's domain). An implementation MAY override this behavior, via policy, to advertise an ISF aggregate route without D-PATH in case the contributing routes did not have the same D-PATH DOMAIN-ID members. The Community, Extended Community, Large Community and Wide Community attributes of an aggregated ISF route SHOULD include the union of the corresponding attributes from all constituent ISF routes that were aggregated, with the exception of those Extended Community types explicitly excluded from propagation as specified in . For other attributes, rules in are followed. If the conditions for route aggregation, as specified above, are satisfied, operators SHOULD consider enabling aggregation in environments with large-scale tenant networks where a significant number of host routes are present. This practice is particularly applicable to deployments such as large-scale data centers.

A PE router may receive the same IP prefix via ISF routes with different ISF SAFIs, and from either the same or different BGP peers. Additionally, the same IP prefix (e.g., a host route) may be received in both an EVPN MAC/IP Advertisement route and an EVPN IP Prefix route. To ensure consistent and deterministic forwarding behavior, a route selection procedure across all ISF SAFIs is required. The objectives of this route selection process are as follows: To ensure that all composite and gateway PEs have a consistent and deterministic view of the preferred path to reach a given IP prefix. To enable meaningful comparison of routes advertised in EVPN and non-EVPN ISF SAFIs based on commonly used path attributes. To support Equal-Cost Multi-Path (ECMP) forwarding across EVPN and non-EVPN ISF SAFI routes, where applicable. For a given prefix received via one or more non-EVPN ISF routes, the standard BGP best path selection procedure, as defined in , is applied to determine the "non-EVPN best paths." Similarly, for a given prefix received via one or more EVPN ISF routes, the same procedure is applied to determine the "EVPN best paths." When both EVPN and non-EVPN ISF routes are present for the same prefix within a single IP-VRF, the PE MUST perform a tie-breaking selection procedure on the union of these best-path sets. The process treats all candidate ISF routes as equally preferable initially, then iteratively removes routes until a single best path (or a valid ECMP set) remains.

The selection procedure MUST follow the standard route selection rules defined in , with the following additional rules and exceptions applied in the specified order: Immediately after applying the Local Preference comparison step from , the PE MUST remove from consideration any routes that do not have the shortest D-PATH attribute. Routes with no D-PATH attribute are considered to have a D-PATH length of zero. This rule MUST NOT be applied to ISF routes that are not imported into an IP-VRF. After applying Rule 1, the standard selection steps MUST continue in order. If, after the previous steps, one or more candidate routes remain and at least one of them is an EVPN MAC/IP Advertisement route (EVPN Route Type 2), then all EVPN IP Prefix routes (EVPN Route Type 5) MUST be removed from consideration. If ECMP is enabled by policy and the remaining candidate routes after Steps 1 through 3 include both EVPN and non-EVPN paths, then both paths MUST be retained. If ECMP is not enabled, and such a case arises, the EVPN path MUST be selected and the non-EVPN path MUST be removed from consideration. This procedure extends the standard BGP best path selection behavior as specified in for SAFI 128 and EVPN IP Prefix routes by incorporating D-PATH based tie-breaking to prefer routes that traverse the fewest Gateway PEs or domains. These rules MUST NOT be applied to routes received under AFI/SAFI combinations other than SAFI 128 or EVPN; such routes get a treat-as-withdraw procedures as described in .

Example 1: PE1 receives three candidate routes for prefix IP1/32, all eligible for import into IP-VRF-1:

Selected route: {SAFI=EVPN, RT-2, Local-Pref=100, AS_PATH=(100,200)} This outcome is due to Step 3, which gives preference to Route Type 2 when both Type 2 and Type 5 EVPN routes exist. Example 2: PE1 receives two candidate routes for prefix IP2/24, both eligible for import into IP-VRF-1:

Selected route: {SAFI=EVPN, RT-5, D-PATH=(6500:3:IPVPN), AS_PATH=(100,200), MED=10} This result is due to Step 1, which prefers the route with the shortest D-PATH.

As described in , composite PEs are typically used in tenant networks where EVPN and IPVPN are both used to provide inter-subnet forwarding within the same composite domain. depicts an example of a composite domain, where PE1/PE2/PE4 are composite PEs (they support EVPN and IPVPN ISF SAFIs on their peering to the Route Reflector), and PE3 is a regular IPVPN PE.

||IP-VRF|------|CE3| Composite PE1 | |+------+ | +---+ +---------------+ | +----------+ | +------+ | EVPN v | | |IP-VRF| | IPVPN +--+ | | +----| | | <------> |RR| | +---+ | | +------+ | +--+ Composite PE4 |CE2|----|MAC-VRF| | ^ ^ +---------+ IP4/24 +---+ | +-------+ | EVPN | | EVPN |+------+ | +---+ +---|-----------+ IPVPN | | IPVPN ||IP-VRF|-----|CE4| | | +----+ +-------->|+------+ | +---+ IP1/24 | | v +---------+ +---+ | | +---------------+ | |CE1|--+ +----| +------+ +--------------+ +---+ | |IP-VRF| | | | +----| | | | | | +------+ | +--------------|MAC-VRF| | | +-------+ | +---------------+ Composite PE2 ]]> In a composite domain comprising both composite and regular PE devices, the following behaviors apply: Prefix Advertisement ConsistencyComposite PEs MUST advertise the same IP prefixes using each ISF SAFI to the Route Reflector (RR). For example, as shown in , the prefix IP1/24 is advertised by PE1 and PE2 to the Route Reflector in two separate NLRI entries: one for AFI/SAFI 1/128 (IPVPN) and another for EVPN. If both routes are advertised with the same set of BGP Path Attributes, the receiving composite PE will select the EVPN route over the IPVPN route, following the route selection procedures defined in . While not required, prioritizing the advertisement of the EVPN route before the IPVPN route is an OPTIONAL optimization. This ensures that the EVPN route is more likely to be selected first, avoiding unnecessary replacement if the IPVPN route arrives later. Route Reflector SAFI-Specific Forwarding BehaviorThe Route Reflector does not forward EVPN routes to peers for which the EVPN SAFI is not enabled, and likewise does not forward IPVPN routes to peers lacking IPVPN SAFI support. For instance, in , the Route Reflector does not forward EVPN routes to PE3 if the EVPN SAFI is not enabled on its BGP session with PE3. However, the IPVPN routes are forwarded to all PEs since they all have IPVPN SAFI enabled. IPVPN PE Route ProcessingRegular IPVPN PEs process and import IPVPN routes as specified in . For example, PE3 receives only the IPVPN route for prefix IP1/24 and resolves the BGP next-hop to an MPLS tunnel (with IP payload) toward PE1 and/or PE2. Composite PE Route SelectionComposite PEs MUST perform route selection for prefixes received via multiple ISF SAFIs, applying the procedures described in : For example, PE4 receives prefix IP1/24 via both an EVPN route and a non-EVPN ISF route (e.g., an IPVPN route). Route selection is performed as specified in . If the EVPN route is selected, PE4 resolves the BGP next-hop to an MPLS tunnel (which may carry either Ethernet or IP payloads) to PE1 and/or PE2. As described in , the tunnel type used between EVPN PEs depends on the model supported. Other composite PEs (e.g., PE1 and PE2) receiving the same prefix via both EVPN and IPVPN SAFIs must also apply the route selection process defined in . Forwarding Behavior Based on Selected RouteOnce a route has been selected for a given IP prefix, packet forwarding MUST follow the forwarding rules associated with the AFI/SAFI of the selected route. Applicability of EVPN Forwarding EnhancementsIn composite domains such as the one depicted in , the advanced forwarding features provided by EVPN are available only to composite and EVPN-capable PEs that select an EVPN IP Prefix route as the best path. These enhancements are not available to IPVPN-only PEs. For example, if PE1 advertises IP1/24 using both EVPN and IPVPN routes, and the EVPN route is selected as the best path, only composite PEs such as PE2 and PE4 can leverage EVPN-specific recursive resolution and forwarding mechanisms. IPVPN PEs, such as PE3, cannot utilize these capabilities. Consequently, the benefits of EVPN-based indirection and route resolution in large-scale deployments may not be available uniformly across all PEs in the network.

As defined in , a gateway PE is an Interworking PE that connects two or more domains and facilitates the propagation of ISF routes between those domains. Typical examples include data center gateway devices that interconnect domains utilizing different ISF SAFIs, such as EVPN and IPVPN, for the same tenant network. The gateway PE procedures specified in this document define the mechanisms required to support ISF route interconnection across such domains. These procedures extend the concept of a gateway PE beyond the scope of , which focuses on Layer 2 interconnection, by providing an analogous interconnection model for ISF route exchange at Layer 3. The procedures described in this section apply to both of the following scenarios: Interconnection between domains utilizing different ISF SAFIs (e.g., EVPN to IPVPN). Interconnection between domains utilizing the same ISF SAFI (e.g., EVPN to EVPN) provides an illustrative example of this model, wherein PE1 and PE2 (as well as PE3 and PE4) operate as gateway PEs interconnecting different domains associated with the same tenant.

<----------IPVPN---------> <----EVPN----> 6500:1:EVPN 6500:2:IPVPN 6500:3:EVPN +-----------------------+ Gateway PE1 Gateway PE3 +----------+ +----------+ +-----------|+------+ | MPLS tnls |+------+ |------------+ | ||IP-VRF| | ||IP-VRF| | | PE5 |+------+ | |+------+ | PE6 +------+ +----------+ +----------+ +------+ |IP-VRF| NVO tnls | | | | NVO tnls |IP-VRF| | | | | | | | | +------+ +----------+ +----------+ +------+ IP1/24--> |+------+ | |+------+ | | | ||IP-VRF| | ||IP-VRF| | | +-----------|+------+ | |+------+ |------------+ +----------+ +----------+ Gateway PE2 +------+ Gateway PE4 +-------|IP-VRF|---------+ | | +------+ PE7 ]]> A gateway PE that is enabled for two ISF SAFIs, referred to here as SAFI x and SAFI y, on the same IP-VRF, MUST follow the procedures described below for propagating routes between domains.

A Gateway PE that imports an ISF SAFI x route for prefix P into an IP-VRF MUST export P using ISF SAFI y if all of the following conditions are met: The route for P is installed in the IP-VRF, indicating that the SAFI x route is well-formed, valid, and selected as the best route. The PE has an active BGP session with a peer supporting SAFI y, enabled for the same IP-VRF. Export policy permits the advertisement of the route. SAFI x and SAFI y are valid ISF SAFIs as defined in . SAFI x and SAFI y MAY be the same. Example: In , Gateway PEs PE1 and PE2 receive an EVPN IP Prefix route for prefix IP1/24, install the route in their respective IP-VRFs, and re-advertise it using SAFI 128 (IPVPN). A Gateway PE that receives an ISF SAFI x route for prefix P into an IP-VRF MUST NOT export P using SAFI y under any of the following conditions: The SAFI x route is not well-formed or valid. Criteria for route validity are defined in the corresponding ISF SAFI specification. For example, an EVPN IP Prefix route that contains both a non-zero EESI and a Gateway IP address is invalid, as specified in , Section 3.2. The D-PATH attribute of the SAFI x route includes one or more DOMAIN-ID values locally configured on the Gateway PE for the associated IP-VRF. In this case, the route is considered a looped ISF route, as described in , and MUST NOT be exported using SAFI y.

If the export conditions are satisfied, the gateway PE MUST advertise prefix P using ISF SAFI y in accordance with the following procedures: If Uniform Propagation Mode (see ) is enabled, the gateway PE MUST include the D-PATH attribute when SAFI y is either SAFI 128 (IPVPN) or EVPN. This enables loop detection at downstream gateway PEs. When propagating an ISF route, the gateway PE MUST prepend a <DOMAIN-ID:ISF_SAFI_TYPE> element to the received D-PATH attribute. The DOMAIN-ID reflects the domain from which the route was received, and the ISF_SAFI_TYPE reflects the SAFI of the received route.If the received route does not include a D-PATH attribute, the gateway PE MUST create and attach a new D-PATH attribute containing a single segment: the <DOMAIN-ID:ISF_SAFI_TYPE> corresponding to the received route.Example: In , gateway PEs PE1 and PE2 receive an EVPN IP Prefix route from PE5 that does not include a D-PATH attribute. PE1 and PE2 add Domain <6500:1:EVPN> to form the new D-PATH. Gateway PEs PE3 and PE4, upon re-advertising the route, prepend <6500:2:IPVPN>, resulting in PE6 receiving the route with D-PATH {<6500:2:IPVPN>, <6500:1:EVPN>}. This information is then used by PE6 in BGP path selection. The gateway PE MAY use the Route Distinguisher (RD) of the IP-VRF when re-advertising prefix P via ISF SAFI y. Label allocation for route advertisement is an implementation-specific matter. The gateway PE MAY use per-VRF, per-prefix, or other label allocation models. The gateway PE MUST support the use of distinct Route Target (RT) sets per domain on the same IP-VRF. If multiple domains associated with a tenant use different RT sets, the gateway PE MUST be capable of importing and exporting routes according to each domain's RT configuration. Although illustrates a scenario with only two domains per gateway PE, gateway PEs MAY interconnect more than two domains. There is no restriction on the number of gateway PEs that a given prefix P may traverse before reaching its destination. If Uniform Propagation Mode is used for BGP Path Attribute propagation, the gateway PE MUST follow the procedures defined in in addition to the D-PATH specific behavior described in item (a). Informative Note: If prefix P is originated in an EVPN domain and subsequently traverses one or more non-EVPN ISF SAFI domains, it will lose EVPN-specific attributes used for advanced EVPN procedures. For example, if PE1 advertises prefix IP1/24 along with a non-zero ESI (for recursive resolution to that ESI), the ESI value will be reset to zero by the time the route reaches PE6, as it passed through an ISF SAFI domain that is not EVPN-capable. Consequently, certain EVPN-specific functionalities may not be preserved end-to-end.

While network deployments involving Interworking PEs may align with the scenarios described in and , there are cases where a combination of both gateway PE and composite PE functionality is required. illustrates an example in which gateway PEs also operate as composite PEs. In such scenarios, the devices must not only propagate ISF routes between domains, such as between EVPN and IPVPN SAFIs or across multiple EVPN domains, but also interoperate with IPVPN-only PEs within domains that include a mix of composite and IPVPN-only PEs.

||IP-VRF|---TS3 (GW+composite) PE1 | |+------+ | +---------------+ | +---------+ | +------+ | EVPN v | | |IP+VRF| | IPVPN +--+ | | +----| | | <------>|RR| | +--------| | +------+ | +--+ Composite PE4 | | |MAC+VRF| | ^ ^ +---------+ | | +-------+ | EVPN | | EVPN |+------+ | +----+ +---------------+ IPVPN | | IPVPN ||IP-VRF|---TS4 TS1-|NVE1| | +----+ +------->|+------+ | +----+ | v +---------+ | EVPN DC | +---------------+ | | NVO tnls +----| +------+ |-------------+ | | |IP+VRF| | | | +----| | | | | | +------+ | | +----+ | |MAC+VRF| | +-----|NVE2|---------| +-------+ | +----+ +---------------+ | (GW+composite) PE2 TS2 ]]> In the example illustrated, PE1 and PE2 MUST follow the procedures defined in and . Unlike the scenario described in , PE1 and PE2 are additionally required to propagate ISF routes between EVPN domains (i.e., EVPN-to-EVPN), in addition to EVPN-to-IPVPN propagation. It is important to note that PE1 and PE2 will receive the IP prefix associated with TS4 via both IPVPN and EVPN IP Prefix routes. When re-advertising the selected route to NVE1 and NVE2, PE1 and PE2 MUST apply the D-PATH handling rules and related attribute processing as described in (Route Selection Process).

An Interworking PE, whether operating in a Gateway PE or Composite PE role, MUST adhere to the following error-handling procedures when processing Inter-Subnet Forwarding (ISF) routes: Any BGP UPDATE message for an ISF route that includes a D-PATH Path Attribute MUST be handled in accordance with the error-handling rules defined in of this document. All received BGP UPDATE messages for ISF routes MUST conform to the general error-handling procedures specified in . This specification introduces no new error-handling behaviors for BGP UPDATE messages that contain NLRI and BGP Path Attributes defined in other specifications. Implementations SHOULD apply the relevant error-handling rules specified for each supported route type. Applicable references include:: BGP IP routes: , . IPVPN routes: , . EVPN MAC/IP Advertisement routes (Route Type 2): , . EVPN IP Prefix routes (Route Type 5): . ISF routes installed in IP-VRFs with SRv6 forwarding: . If a Gateway PE is configured to propagate BGP Path Attributes for ISF routes between domains, the procedures specified in are intended to ensure that receiving BGP speakers do not encounter UPDATE messages containing well-formed but semantically inappropriate BGP Path Attributes. However, if a gateway PE incorrectly propagates such attributes in violation of the procedures in , receiving PEs MUST apply the error-handling rules defined in the applicable specifications for the relevant route type and attribute. The following are examples of such scenarios and their handling: If a Gateway PE erroneously propagates the BGP Encapsulation Extended Community or the equivalent Encapsulation TLV in the Tunnel Encapsulation Attribute from one EVPN domain to another, the receiving PE MAY receive two encapsulation indications with different values. In such a case, the PE MUST follow the procedures in , which permit signaling multiple encapsulation types. As specified in , encapsulations carried via the Tunnel Encapsulation Attribute MUST be treated as equivalent to those conveyed via the Encapsulation Extended Community. If a gateway PE propagates an EVPN Extended Community from an EVPN domain into an IPVPN domain, the receiving IPVPN PE MUST ignore such communities, as their semantics are not applicable to the IPVPN SAFI. If a gateway PE erroneously propagates a BGP Prefix-SID attribute containing SRv6 Service TLVs for an ISF route between domains, and the receiving PE receives multiple SRv6 TLV instances, it MUST apply the procedures specified in for resolving multiple TLVs.

This document defines procedures applicable to PE routers that process and advertise ISF routes for a given tenant. In particular, the following key procedures are specified: A route selection algorithm that enables a PE to deterministically select a best path among candidates learned via EVPN and other ISF SAFIs. A new BGP Path Attribute, referred to as the Domain Path (D-PATH) attribute, which provides loop prevention capabilities and conveys domain traversal information for a given route. The rules governing BGP Path Attribute propagation across domains to maintain semantic consistency and enable cross-domain route processing. The operational procedures required on Interworking PEs that function as composite PEs, gateway PEs, or devices supporting both roles. Collectively, these procedures equip operators with the necessary mechanisms to deploy scalable tenant networks spanning multiple administrative or routing domains, employing different ISF SAFIs for IP prefix dissemination while maintaining deterministic forwarding behavior and routing loop protection.

The security considerations outlined in and are applicable to this specification. This document introduces the D-PATH Path Attribute (), which provides a mechanism for control-plane loop prevention when ISF IPVPN and EVPN routes are propagated across multiple domains via Gateway PEs. When configured and supported correctly, the use of the D-PATH attribute helps prevent both control-plane and data-plane loops. However, incorrect configuration of DOMAIN-ID values or inconsistent support for D-PATH among Gateway PEs may result in false-positive loop detection, traffic discarding, or suboptimal and inconsistent routing behavior. Furthermore, as D-PATH is a transitive BGP attribute, a malicious actor may attempt to inject incorrect domain information that propagates across multiple administrative boundaries. To mitigate such risks, the use of D-PATH is explicitly restricted to IPVPN and EVPN routes within "walled garden" Virtual Private Networks, as specified in . A PE that conforms to this specification MUST remove the D-PATH attribute prior to advertising a prefix to a CE router in a SAFI 1 (NLRI used for unicast forwarding) route. If a non-upgraded PE that does not support D-PATH receives such a route and is connected to a CE with Internet access, it may erroneously propagate the D-PATH attribute in a SAFI 1 UPDATE to the CE. If the CE further propagates the route, the D-PATH attribute could inadvertently escape into the public Internet. However, the presence of the D-PATH attribute in SAFI 1 routes MUST NOT impact BGP best-path selection for those routes and, as such, cannot introduce routing loops or instability in the Internet. Additionally, BGP speakers beyond the "walled garden" that support D-PATH and receive the attribute in SAFI 1 routes MUST apply the "treat-as-withdraw" behavior, as described in and consistent with . As a further safeguard, implementations SHOULD enforce local policy on upgraded PEs to discard any ISF EVPN or IPVPN routes received from non-upgraded peers if such routes include a D-PATH attribute, to prevent unintended propagation. of this document introduces Uniform Propagation Mode, which enables gateway PEs to propagate a consistent set of BGP Path Attributes across domain boundaries. This mode enhances operational visibility by preserving attributes end-to-end along the route path. However, it also introduces the possibility that an attacker could inject malformed or semantically inappropriate, but syntactically correct, attributes that influence BGP path selection in remote domains. To mitigate this risk, an operator MAY choose to deploy No-Propagation Mode (), wherein BGP Path Attributes are re-initialized upon domain transition. While this limits attribute-based attack vectors, it also eliminates the ability of downstream PEs to inspect the original set of BGP Path Attributes as intended by the route originator. Operators SHOULD carefully weigh the trade-offs between visibility and control when selecting the appropriate propagation mode and ensure that policies are in place to validate attribute contents at domain boundaries.

This document defines a new BGP path attribute known as the BGP Domain Path (D-PATH) attribute. IANA has assigned a new attribute code type from the "BGP Path Attributes" subregistry under the "Border Gateway Protocol (BGP) Parameters" registry:

The authors want to thank Russell Kelly, Dhananjaya Rao, Suresh Basavarajappa, Mallika Gautam, Senthil Sathappan, Arul Mohan Jovel, Naveen Tubugere, Mathanraj Petchimuthu, Eduard Vasilenko, Amit Kumar, Mohit Kumar, Lukas Krattiger, Gyan Mishra and Stephane Litkowski for their review and suggestions. Thanks to Sue Hares and Jeff Haas as well, for their detailed review to clarify the procedures of the D-PATH attribute. The authors want to also thank especially Gunter van de Velde for his thorough review that helped raise the quality of the document significantly.

&RFC7432; &RFC8365; &RFC4271; &RFC4364; &RFC2119; &RFC8174; &RFC7606; &RFC4760; &RFC9136; &RFC9135; &RFC9252; &RFC4360; &RFC9012; &RFC9774; &RFC4659; &RFC8950; &RFC9014; &I-D.ietf-idr-wide-bgp-communities; &RFC4456;