Multicast Source Redundancy in EVPN Networks

Multicast Source Redundancy in EVPN Networks Nokia

520 Almanor Avenue Sunnyvale CA 94085 USA jorge.rabadan@nokia.com

Nokia

520 Almanor Avenue Sunnyvale, CA 94085 USA jayant.kotalwar@nokia.com

Nokia

520 Almanor Avenue Sunnyvale, CA 94085 USA senthil.sathappan@nokia.com

Juniper Networks

zzhang@juniper.net

Juniper Networks

wlin@juniper.net

BESS Workgroup Ethernet Virtual Private Network (EVPN) supports intra and inter-subnet IP multicast forwarding. However, EVPN (or conventional IP multicast techniques for that matter) do not have a solution for the case where the following two statements are true at the same time: a) a given multicast group carries more than one flow (i.e., more than one source), and b) it is desired that each receiver gets only one of the several flows. Existing multicast techniques assume there are no redundant sources sending the same flow to the same IP multicast group, and, in case there were redundant sources, the receiver's application would deal with the received duplicated packets. This document extends the existing EVPN specifications and assumes that IP Multicast source redundancy may exist. It also assumes that, in case two or more sources send the same IP Multicast flows into the tenant domain, the EVPN PEs need to avoid that the receivers get packet duplication by following the described procedures.

Intra and Inter-subnet IP Multicast forwarding are supported in EVPN networks. describes the procedures required to optimize the delivery of IP Multicast flows when Sources and Receivers are connected to the same EVPN Broadcast Domain, whereas specifies the procedures to support Inter-subnet IP Multicast in a tenant network. Inter-subnet IP Multicast means that IP Multicast Source and Receivers of the same multicast flow are connected to different Broadcast Domains of the same tenant. , or conventional IP multicast techniques do not have a solution for the case where the following two statements are true at the same time: a) a given multicast group carries more than one flow (i.e., more than one source) and b) it is desired that each receiver gets only one of the several flows. Multicast techniques assume there are no redundant sources sending the same flows to the same IP multicast group, and, in case there were redundant sources, the receiver's application would deal with the received duplicated packets. As a workaround in conventional IP multicast (that is, networks running PIM or MVPN), if all the redundant sources are given the same IP address, each receiver will get only one flow. The reason is that, in conventional IP multicast, the RP (Rendezvous Point) always creates (S,G) state, and the Last Hop Router (LHR) sometimes creates (S,G) state. The (S,G) state always binds the (S,G) flow to a source-specific tree, rooted at the source IP address. If multiple sources have the same IP address, one may end up with multiple (S,G) trees. However, the way the trees are constructed ensures that any given Last Hop Router or Rendezvous Point router is on at most one of them. The use of an anycast address assigned to multiple sources may be useful for warm standby redundancy solutions (). However, on one hand, it is not really helpful for hot standby redundancy solutions () and on the other hand, configuring the same IP address (in particular, the same IPv4 address) in multiple sources may bring issues if the sources need to be reached by IP unicast traffic or if the sources are attached to the same Broadcast Domain. In addition, in the scenario where several multicast sources streaming traffic to the same group are attached via EVPN/OISM (Optimized Inter-Subnet Multicast), there is not necessarily any (S,G) state created for the redundant sources. The Last Hop Routers may have only (*,G) state, and there may not be a Rendezvous Point router (creating (S,G) state) either. Therefore, this document extends the above two specifications and assumes that IP Multicast source redundancy may exist. It also assumes that, in case two or more sources send the same IP Multicast flows into the tenant domain, the EVPN PEs need to avoid that the receivers get packet duplication. The procedures to handle redundant sources in solutions different than or are out of the scope of this document. The solution provides support for Warm Standby (WS) and Hot Standby (HS) redundancy. WS is defined as the redundancy scenario in which the upstream PEs, attached to the redundant sources of the same tenant, make sure that only one source of the same flow can send multicast to the interested downstream PEs at the same time. In HS mode, the upstream PEs forward the redundant multicast flows to the downstream PEs, and the downstream PEs make sure only one flow is forwarded to the interested attached receivers.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Broadcast Domain (BD): an emulated ethernet, such that two systems on the same BD will receive each other's link-local broadcasts. In this document, BD also refers to the instantiation of a Broadcast Domain on an EVPN PE. An EVPN PE can be attached to one or multiple BDs of the same tenant. BUM: Broadcast, Unknown unicast and Multicast traffic. Designated Forwarder (DF): as defined in , an ethernet segment may be multi-homed (attached to more than one PE). An ethernet segment may also contain multiple BDs, of one or more EVIs. For each such EVI, one of the PEs attached to the segment becomes that EVI's DF for that segment. Since a BD may belong to only one EVI, we can speak unambiguously of the BD's DF for a given segment. Downstream PE: in this document a Downstream PE is referred to as the EVPN PE that is connected to the IP Multicast receivers and gets the IP Multicast flows from remote EVPN PEs. G-traffic: any frame with an IP payload whose IP Destination Address (IP DA) is a multicast group G. G-source: any system sourcing IP multicast traffic to group G. IGMP: Internet Group Management Protocol. Inclusive Multicast Tree or Inclusive Provider Multicast Service Interface (I-PMSI): defined in , in this document it is applicable only to EVPN and refers to the default multicast tree for a given BD. All the EVPN PEs that are attached to a specific BD belong to the I-PMSI for the BD. The I-PMSI trees are signaled by EVPN Inclusive Multicast Ethernet Tag (IMET) routes. IMET route: EVPN Inclusive Multicast Ethernet Tag route, as in . MLD: Multicast Listener Discovery. MVPN: Multicast Virtual Private Networks, as in . OISM: Optimized Inter-Subnet Multicast, as in . PIM: Protocol Independent Multicast, as in . P-tunnel: Provider tunnel refers to the type of tree a given upstream EVPN PE uses to forward multicast traffic to downstream PEs. Examples of P-tunnels supported in this document are Ingress Replication (IR), Assisted Replication (AR), Bit Indexed Explicit Replication (BIER), multicast Label Distribution Protocol (mLDP) or Point to Multi-Point Resource Reservation protocol with Traffic Engineering extensions (P2MP RSVP-TE). Redundant G-source: a host or router that transmits an SFG in a tenant network where there are more hosts or routers transmitting the same SFG. Redundant G-sources for the same SFG SHOULD have different IP addresses, although they MAY have the same IP address when in different BDs of the same tenant network. Redundant G-sources are assumed NOT to be "bursty" in this document (typical example are Broadcast TV G-sources or similar). S-ES and S-ESI: multicast Source Ethernet Segment and multicast Source Ethernet Segment Identifier. The Ethernet Segment and Ethernet Segment Identifier associated to a G-source. Selective Multicast Tree or Selective Provider Multicast Service Interface (S-PMSI): defined in , in this document it is applicable only to EVPN and refers to the multicast tree to which only the interested PEs of a given BD belong to. There are two types of EVPN S-PMSIs: EVPN S-PMSIs that require the advertisement of S-PMSI Auto-Discovery (S-PMSI A-D) routes from the upstream PE, as in . The interested downstream PEs join the S-PMSI tree as in . EVPN S-PMSIs that don't require the advertisement of S-PMSI AD routes. They use the forwarding information of the IMET routes, but upstream PEs send IP Multicast flows only to downstream PEs issuing Selective Multicast Ethernet Tag (SMET) routes for the flow. These S-PMSIs are only supported with the following P-tunnels: Ingress Replication (IR), Assisted Replication (AR) and BIER. SFG: Single Flow Group, i.e., a multicast group which represents traffic that contains only a single flow. Multiple sources - with the same or different IP - may be transmitting an SFG. An SFG is represented as (*,G) if any source that issues multicast traffic to G is a redundant G-source. An SFG can also be represented as (S,G), where S is a prefix of any length. In this case, a source is considered a redundant G-source for the SFG if it is contained in the prefix. SMET route: Selective Multicast Ethernet Tag route, as in . (S,G) and (*,G): used to describe multicast packets or multicast state. S stands for Source (IP address of the multicast traffic) and G stands for the Group or multicast destination IP address of the group. An (S,G) multicast packet refers to an IP packet with source IP address "S" and destination IP address "G", and it is forwarded on a multicast router if there is a corresponding state for (S,G). A (*,G) multicast packet refers to an IP packet with "any" source IP address and a destination IP address "G", and it is forwarded on a multicast router based on the existance of the corresponding (*,G) state. The document uses variations of these terms. For example, (S1,G1) represents the multicast packets or multicast state for source IP address "S1" and group IP address "G1". Upstream PE: in this document an Upstream PE is referred to as the EVPN PE that is connected to the IP Multicast source or closest to it. It receives the IP Multicast flows on local ACs (Attachment Circuits). This document also assumes familiarity with the terminology of , , , , , , and .

IP Multicast is all about forwarding a single copy of a packet from a source S to a group of receivers G along a multicast tree. That multicast tree can be created in an EVPN tenant domain where S and the receivers for G are connected to the same Broadcast Domain or different Broadcast Domain. In the former case, we refer to Intra-subnet IP Multicast forwarding, whereas the latter case will be referred to as Inter-subnet IP Multicast forwarding.

When the source S1 and receivers interested in G1 are attached to the same Broadcast Domain, the EVPN network can deliver the IP Multicast traffic to the receivers in two different ways ():

Model (a) illustrated in is referred to as "IP Multicast delivery as BUM traffic". This way of delivering IP Multicast traffic does not require any extensions to , however, it sends the IP Multicast flows to non-interested receivers, such as e.g., R3 in . In this example, downstream PEs can snoop IGMP/MLD messages from the receivers so that layer-2 multicast state is created and, for instance, PE4 can avoid sending (S1,G1) to R3, since R3 is not interested in (S1,G1). Model (b) in uses an S-PMSI to optimize the delivery of the (S1,G1) flow. For instance, assuming PE1 uses IR, PE1 sends (S1,G1) only to the downstream PEs that issued an SMET route for (S1,G1), that is, PE2 and PE3. In case PE1 uses any P-tunnel different than IR, AR or BIER, PE1 will advertise an S-PMSI A-D route for (S1,G1) and PE2/PE2 will join that tree. Procedures for Model (b) are specified in .

If the source and receivers are attached to different BDs of the same tenant domain, the EVPN network can also use Inclusive or Selective Trees as depicted in , models (a) and (b) respectively.

specifies the procedures to optimize the Inter-subnet Multicast forwarding in an EVPN network. The IP Multicast flows are always sent in the context of the source BD. As described in , if the downstream PE is not attached to the source BD, the IP Multicast flow is received on the SBD (Supplementary Broadcast Domain), as in the example in . supports Inclusive or Selective Multicast Trees, and as explained in , the Selective Multicast Trees are setup in a different way, depending on the P-tunnel being used by the source Broadcast Domain. As an example, model (a) in illustrates the use of an Inclusive Multicast Tree for Broadcast Domain BD1 on PE1. Since the downstream PEs are not attached to BD1, they will all receive (S1,G1) in the context of the Supplementary Broadcast Domain (SBD) and will locally route the flow to the local Attachment Circuits. Model (b) uses a similar forwarding model, however PE1 sends the (S1,G1) flow in a Selective Multicast Tree. If the P-tunnel is Ingress Replication (IR), Assisted Replication (AR) or Bit Index Explicit Replication (BIER), PE1 does not need to advertise an S-PMSI A-D route. is a superset of the procedures in , in which sources and receivers can be in the same or different Broadcast Domain of the same tenant. ensures every upstream PE attached to a source will learn of all other PEs (attached to the same Tenant Domain) that have interest in a particular set of flows. This is because the downstream PEs advertise SMET routes for a set of flows with the Supplementary Broadcast Domain's Route Target and they are imported by all the Upstream PEs of the tenant. As a result of that, inter-subnet multicasting can be done within the Tenant Domain, without requiring any Rendezvous Points (RP), shared trees, Upstream Multicast Hop (UMH) selection or any other complex aspects of conventional multicast routing techniques.

Contrary to conventional multicast routing technologies, multi-homing PEs attached to the same source can never create IP Multicast packet duplication if the PEs use a multi-homed Ethernet Segment (ES). illustrates this by showing two multi-homing PEs (PE1 and PE2) that are attached to the same source (S1). We assume that S1 is connected to an all-active Ethernet Ssegment by a layer-2 switch (SW1) with a Link Aggregation Group (LAG) to PE1 and PE2.

+-----------|---+ +---|-----------+ | +---+ +---+ | | +---+ | R1 <-----|BD2| |BD1| | | |BD1| | | +---+---+---+ | | +---+---+ | +----| |VRF| | | | |VRF| |----+ | | +---+---+ | | | +---+---+ | | | | |SBD| | | | |SBD| | | | | +---+ | | | +---+ | | | +------------|--+ +---------------+ | | | | | | | | | | | EVPN | ^ | | OISM v PE3 | SMET | | +---------------+ | (*,G1) | | | +---+ | | | | | |SBD| | | | | +---+---+ | | +--------------| |VRF| |----------------+ | +---+---+---+ | | |BD2| |BD3| | | +-|-+ +-|-+ | +---|-------|---+ ^ | | ^ IGMP | v v | IGMP J(*,G1) | R2 R3 | J(S1,G1) ]]> When receiving the (S1,G1) flow from S1, SW1 will choose only one link to send the flow, as per . Assuming PE1 is the receiving PE on Broadcast Domain BD1, the IP Multicast flow will be forwarded as soon as BD1 creates multicast state for (S1,G1) or (*,G1). In the example of , receivers R1, R2 and R3 are interested in the multicast flow to G1. R1 will receive (S1,G1) directly via the IRB interface as per . Upon receiving IGMP reports from R2 and R3, PE3 will issue an SMET (*,G1) route that will create state in PE1's Broadcast Domain BD1. PE1 will therefore forward the IP Multicast flow to PE3's SBD and PE3 will forward to R2 and R3, as per procedures. When IP Multicast source multi-homing is required, EVPN multi-homed Ethernet Segments MUST be used. EVPN multi-homing guarantees that only one Upstream PE will forward a given multicast flow at the time, avoiding packet duplication at the Downstream PEs. In addition, the SMET route for a given flow creates state in all the multi-homing Upstream PEs. Therefore, in case of failure on the Upstream PE forwarding the flow, the backup Upstream PE can forward the flow immediately. This document assumes that multi-homing PEs attached to the same source always use multi-homed Ethernet Segments.

While multi-homing PEs to the same IP Multicast G-source provides certain level of resiliency, multicast applications are often critical in the Operator's network and greater level of redundancy is required. This document assumes that: Redundant G-sources for an Single Flow Group (SFG) may exist in the EVPN tenant network. A Redundant G-source is a host or a router that sends an Single Flow Group stream in a tenant network where there is another host or router sending traffic to the same Single Flow Group. Those redundant G-sources may be in the same Broadcast Domain or different Broadcast Domains of the tenant. There must not be restrictions imposed on the location of the receiver systems either. The redundant G-sources can be single-homed to only one EVPN PE or multi-homed to multiple EVPN PEs. The EVPN PEs must avoid duplication of packets of the same Single Flow Group on the receiver systems.

An Single Flow Group (SFG) is represented as (*,G) if any source that issues multicast traffic to G is a redundant G-source. Alternatively, this document allows a Single Flow Group to be represented as (S,G), where the source IP address "S" is a prefix of any length. In this case, a source is considered a redundant G-source for the Single Flow Group if it is contained in the prefix. This document allows variable length prefixes in the Sources advertised in S-PMSI A-D routes only for the particular application of redundant G-sources. There are two redundant G-source solutions described in this document: Warm Standby (WS) Solution Hot Standby (HS) Solution The Warm Standby solution is considered an upstream-PE-based solution (since downstream PEs do not participate in the procedures), in which all the upstream PEs attached to redundant G-sources for a Single Flow Group represented by (*,G) or (S,G) will elect a "Single Forwarder" (SF) among themselves. Once a Single Forwarder is elected, the upstream PEs add an Reverse Path Forwarding (RPF) check to the (*,G) or (S,G) state for the Single Flow Group: A non-Single Forwarder upstream PE discards any (*,G)/(S,G) packets received over a local Attachment Circuit. The Single Forwarder accepts and forwards any (*,G)/(S,G) packets it receives over a single local Attachment Circuit (for the Single Flow Group). In case (*,G)/(S,G) packets for the Single Flow Group are received over multiple local Attachment Circuits, they will be discarded in all the local Attachment Circuits but one. The procedure to choose the local Attachment Circuit that accepts packets is a local implementation matter. A failure on the Single Forwarder will result in the election of a new Single Forwarder. The Election requires BGP extensions on the existing EVPN routes. These extensions and associated procedures are described in and respectively. In the Hot Standby solution the downstream PEs are the ones avoiding the Single Flow Group duplication. The upstream PEs are aware of the locally attached G-sources and add a unique Ethernet Segment Identifier label (ESI-label) per Single Flow Group to the multicast packets forwarded to downstream PEs. The downstream PEs pull the Single Flow Group from all the upstream PEs attached to the redundant G-sources and avoid duplication on the receiver systems by adding a Reverse Path Forwarding check to the (*,G) state for the Single Flow Group: A downstream PE discards any (*,G) packets it receives from the "wrong G-source". The wrong G-source is identified in the data path by an Ethernet Segment Identifier label that is different than the Ethernet Segment Identifier label used for the selected G-source. Note that the Ethernet Segment Identifier label is used here for "ingress filtering" (at the egress/downstream PE) as opposed to the "egress filtering" (at the egress/downstream PE) used in the split-horizon procedures. In the Ethernet Segment Identifier label indicates what egress Attachment Circuits must be skipped when forwarding BUM traffic to the egress. In this document, the Ethernet Segment Identifier label indicates what ingress traffic must be discarded at the downstream PE. The use of Ethernet Segment Identifier labels for Single Flow Groups forwarded by upstream PEs require some control plane and data plane extensions in the procedures used by for multi-homing. Upon failure of the selected G-source, the downstream PE will switch over to a different selected G-source, and will therefore change the Reverse Path Forwarding check for the (*,G) state. The extensions and associated procedures are described in and respectively. An operator should use the Hot Standby solution if they require a fast fail-over time and the additional bandwidth consumption is acceptable (Single Flow Group packets are received multiple times on the downstream PEs). Otherwise the operator should use the Warm Standby solution, at the expense of a slower fail-over time in case of a G-source or upstream PE failure. Besides bandwidth efficiency, another advantage of the Warm Standby solution is that only the upstream PEs attached to the redundant G-sources for the same Single Flow Group need to be upgraded to support the new procedures. This document does not impose the support of both solutions on a system. If one solution is supported, the support of the other solution is OPTIONAL.

This document makes use of the following BGP EVPN extensions: Single Flow Group flag in the Multicast Flags Extended CommunityThe Single Flow Group (SFG) flag is a new bit requested to IANA out of the registry Multicast Flags Extended Community Flag Values. This new flag is set for S-PMSI A-D routes that carry a (*,G)/(S,G) Single Flow Group in the NLRI. ESI Label Extended Community is used in S-PMSI A-D routesThe Hot Standby solution requires the advertisement of one or more ESI Label Extended Communities that encode the Ethernet Segment Identifier(s) associated to an S-PMSI A-D (*,G)/(S,G) route that advertises the presence of a Single Flow Group. Only the ESI Label value in the extended community is relevant to the procedures in this document. The Flags field in the extended community will be advertised as 0x00 and ignored on reception. specifies that the ESI Label Extended Community is advertised along with the A-D per ES route. This documents extends the use of this extended community so that it can be advertised multiple times (with different ESI values) along with the EVPN S-PMSI A-D route.

The general procedure is described as follows: Configuration of the upstream PEs Upstream PEs (possibly attached to redundant G-sources) need to be configured to know which groups are carrying only flows from redundant G-sources, that is, the Single Flow Groups (SFGs) in the tenant domain. They will also be configured to know which local Broadcast Domains may be attached to a redundant G-source. The Single Flow Groups can be configured for any source, E.g., SFG for "*", or for a prefix that contains multiple sources that will issue the same SFG, i.e., "10.0.0.0/30". In the latter case sources 10.0.0.1 and 10.0.0.2 are considered as Redundant G-sources, whereas 10.0.0.10 is not considered a redundant G-source for the same SFG.As an example (): PE1 is configured to know that G1 is an SFG for any source and redundant G-sources for G1 may be attached to Broadcast Domains BD1 or BD2. Or PE1 can also be configured to know that G1 is an SFG for the sources contained in 10.0.0.0/30, and those redundant G-sources may be attached to Broadcast Domains BD1 or BD2. Signaling the location of a G-source for a given Single Flow GroupUpon receiving G-traffic for a configured SFG on a Broadcast Domain, an upstream PE configured to follow this procedure, e.g., PE1: Originates an S-PMSI A-D (*,G)/(S,G) route for the SFG. An (*,G) route is advertised if the SFG is configured for any source, and an (S,G) route is advertised (where the Source can have any length) if the SFG is configured for a prefix. The S-PMSI A-D route is imported by all the PEs attached to the tenant domain. In order to do that, the route will use the SBD-RT (Supplementary Broadcast Domain Route Target) in addition to the BD-RT (Broadcast Domain Route Target) of the Broadcast Domain over which the G-traffic is received. The route SHOULD also carry a Designated Forwarder Election Extended Community and a flag indicating that it conveys an SFG. The Designated Forwarder Election extended community and its use is specified in . The above S-PMSI A-D route MAY be advertised with or without PMSI Tunnel Attribute: With no PMSI Tunnel Attribute if an I-PMSI or S-PMSI A-D with Ingress Replication, Assisted Replication or BIER are to be used. With PMSI Tunnel Attribute in any other case. The S-PMSI A-D route is triggered by the first packet of the SFG and withdrawn when the flow is not received anymore. Detecting when the G-source is no longer active is a local implementation matter. The use of a timer is RECOMMENDED. The timer is started when the traffic to G1 is not received. Upon expiration of the timer, the PE will withdraw the route. Single Forwarder (SF) ElectionIf the PE with a local G-source receives one or more S-PMSI A-D routes for the same Single Flow Group from a remote PE, it will run a Single Forwarder Election based on the information encoded in the Designated Forwarder Election extended community. Two S-PMSI A-D routes are considered for the same SFG if they are advertised for the same tenant, and their Multicast Source Length, Multicast Source, Multicast Group Length and Multicast Group fields match. A given Designated Forwarder Algorithm can only be used if all the PEs running the Algorithm have consistent input. For example, in an OISM network, if the redundant G-sources for an SFG are attached to Broadcast Domains with different Ethernet Tags, the Default Designated Forwarder Election Algorithm MUST NOT be used. In case the there is a mismatch in the Designated Forwarder Election Algorithm or capabilities advertised by two PEs competing for the Single Forwarder role, the lowest PE IP address (given by the Originator Address in the S- PMSI A-D route) will be used as a tie-breaker. Reverse Path Forwarding check on the PEs attached to a redundant G-sourceAll the PEs with a local G-source for the Single Flow Group will add a Reverse Path Forwarding check to the (*,G)/(S,G) state for the Single Flow Group. That Reverse Path Forwarding check depends on the Single Forwarder Election result: The non-Single Forwarder PEs discard any (*,G)/(S,G) packets for the Single Flow Group received over a local Attachment Circuit. The Single Forwarder accepts any (*,G)/(S,G) packets for the Single Flow Group it receives over one (and only one) local Attachment Circuit. The solution above provides redundancy for Single Flow Groups and it does not require an upgrade of the downstream PEs (PEs where there is certainty that no redundant G-sources are connected). Other G-sources for non-Single Flow Groups may exist in the same tenant domain. This document does not change the existing procedures for non-Single Flow Group G-sources. The redundant G-sources can be single-homed or multi-homed to a Broadcast Domain in the tenant domain. Multi-homing does not change the above procedures. and show two examples of the Warm Standby solution.

illustrates an example in which S1 and S2 are redundant G-sources for the Single Flow Group (*,G1).

|BD1|--+ | |+---+ | |+---+ | |+---+ | +------------+ +------------+ +------------+ | ^ | ^ | | IGMP | | IGMP R1 | J(*,G1) R3 | J(*,G1) ]]> The Warm Standby solution works as follows: Configuration of the upstream PEs, PE1 and PE2 PE1 and PE2 are configured to know that G1 is an Single Flow Group for any source and redundant G-sources for G1 may be attached to Broadcast Domains BD1 or BD2, respectively. Signaling the location of S1 and S2 for (*,G1) Upon receiving (S1,G1) traffic on a local Attachment Circuit, PE1 and PE2 originate S-PMSI A-D (*,G1) routes with the SBD-RT (Supplementary Broadcast Domain Route Target), Designated Forwarder Election Extended Community and a flag indicating that it conveys a Single Flow Group. Single Forwarder (SF) Election Based on the Designated Forwarder Election extended community content, PE1 and PE2 elect a Single Forwarder for (*,G1). Assuming both PEs agree on e.g., Preference based Election as the algorithm to use , and PE1 has a higher preference, PE1 becomes the Single Forwarder for (*,G1). Reverse Path Forwarding check on the PEs attached to a redundant G-source The non-Single Forwarder, PE2, discards any (*,G1) packets received over a local Attachment Circuit. The Single Forwarder, PE1 accepts (*,G1) packets it receives over one (and only one) local Attachment Circuit. The end result is that, upon receiving reports for (*,G1) or (S,G1), the downstream PEs (PE3 and PE5) will issue SMET routes and will pull the multicast Single Flow Group from PE1, and PE1 only. Upon a failure on S1, the Attachment Circuit connected to source S1 or PE1 itself will trigger the S-PMSI A-D (*,G1) withdrawal from PE1 and PE2 will be promoted to Single Forwarder.

illustrates an example in which S1 and S2 are redundant G-sources for the Single Flow Group (*,G1), however, now all the G-sources and receivers are connected to the same Broadcast Domain BD1 and there is no Supplementary Broadcast Domain.

|BD1| | | +---+ | | +---+ | | +---+ | | | | | | | | | | | | | | | | | | | +------------+ +------------+ +------------+ | ^ | ^ | | IGMP | | IGMP R1 | J(*,G1) R3 | J(*,G1) ]]> The same procedure as in is valid here, being this a sub-case of the one in . Upon receiving traffic for the Single Flow Group G1, PE1 and PE2 advertise the S-PMSI A-D routes with route target BD1-RT only, since there is no Supplementary Broadcast Domain (SBD).

If fast-failover is required upon the failure of a G-source or PE attached to the G-source and the extra bandwidth consumption in the tenant network is not an issue, the Hot Standby solution should be used. The procedure is as follows: Configuration of the PEsAs in the Warm Standby case, the upstream PEs where redundant G-sources may exist need to be configured to know which groups (for any source or a prefix containing the intended sources) are carrying only flows from redundant G-sources, that is, the Single Flow Groups in the tenant domain. In addition (and this is not done in Warm Standby mode), the individual redundant G-sources for a Single Flow Group need to be associated with an Ethernet Segment on the upstream PEs. This is irrespective of the redundant G-source being multi-homed or single-homed. Even for single-homed redundant G-sources the Hot Standby procedure relies on the ESI labels for the Reverse Path Forwarding check on downstream PEs. The term "S-ESI" is used in this document to refer to an Ethernet Segment Identifier associated to a redundant G-source. Contrary to what is specified in the Warm Standby method (that is transparent to the downstream PEs), the support of the Hot Standby procedure is required not only on the upstream PEs but also on all downstream PEs connected to the receivers in the tenant network. The downstream PEs do not need to be configured to know the connected Single Flow Groups or their Ethernet Segment Identifiers, since they get that information from the upstream PEs. The downstream PEs will locally select an Ethernet Segment Identifier for a given Single Flow Group, and will program a Reverse Path Forwarding check to the (*,G)/(S,G) state for the Single Flow Group that will discard (*,G)/(S,G) packets from the rest of the Ethernet Segment Identifiers. The selection of the Ethernet Segment Identifier for the Single Flow Group is based on local policy. Signaling the location of a G-source for a given Single Flow Group and its association to the local Ethernet Segments Based on the configuration in step 1, an upstream PE configured to follow the Hot Standby procedures: Advertises an S-PMSI A-D (*,G)/(S,G) route per each configured Single Flow Group. These routes need to be imported by all the PEs of the tenant domain, therefore they will carry the route targets BD-RT (the route target of the Broadcast Domain) and SBD-RT (the route target of the Supplementary Broadcast Domain, if the SBD exists). The route also carries the ESI Label extended communities needed to convey all the S-ESIs associated to the Single Flow Group in the PE. The S-PMSI A-D route will convey a PMSI Tunnel Attribute in the same cases as in the Warm Standby procedure. The S-PMSI A-D (*,G)/(S,G) route is triggered by the configuration of the Single Flow Group and not by the reception of G-traffic. Distribution of DCB (Domain-wide Common Block) ESI-labels and G-source ES routes An upstream PE advertises the corresponding EVPN ES route, A-D per EVI and A-D per ES routes for the local S-ESIs. ES routes are used for regular Designated Forwarder Election for the S-ES. This document does not introduce any change in the procedures related to the EVPN ES routes. The EVPN A-D per EVI and A-D per ES routes MUST include the route target SBD-RT since they have to be imported by all the PEs in the tenant domain. The EVPN A-D per ES routes convey the S-ESI labels that the downstream PEs use to add the Reverse Path Forwarding check for the (*,G)/(S,G) associated to the Single Flow Groups. This Reverse Path Forwarding check requires that all the packets for a given G-source are received with the same S-ESI label value on the downstream PEs. For example, if two redundant G-sources are multi-homed to PE1 and PE2 via S-ES-1 and S-ES-2, PE1 and PE2 MUST allocate the same ESI label "Lx" for S-ES-1 and they MUST allocate the same ESI label "Ly" for S-ES-2. In addition, Lx and Ly MUST be different. These ESI labels are Domain-wide Common Block (DCB) labels and follow the allocation procedures in . Processing of EVPN A-D per ES/EVI routes and Reverse Path Forwarding check on the downstream PEsThe EVPN A-D per ES/EVI routes are received and imported in all the PEs in the tenant domain. The processing of the EVPN A-D per ES/EVI routes on a given PE depends on its configuration: The PEs attached to the same Broadcast Domain of the route target BD-RT that is included in the EVPN A-D per ES/EVI routes will process the routes as in and . If the receiving PE is attached to the same Ethernet Segment as indicated in the route, split-horizon procedures will be followed and the Designated Forwarder Election candidate list may be modified as in if the Ethernet Segment supports the AC-DF (Attachment Circuit influenced Designated Forwarder) capability. The PEs that are not attached to the Broadcast Domain identified by the route target BD-RT but are attached to the Supplementary Broadcast Domain of the received route target SBD-RT, will import the EVPN A-D per ES/EVI routes and use them for redundant G-source mass withdrawal, as explained later. Upon importing EVPN A-D per ES routes corresponding to different S-ESes, a PE MUST select a primary S-ES and add a Reverse Path Forwarding check to the (*,G)/(S,G) state in the Broadcast Domain or Supplementary Broadcast Domain. This Reverse Path Forwarding check will discard all ingress packets to (*,G)/(S,G) that are not received with the ESI-label of the primary S-ES. The selection of the primary S-ES is a matter of local policy. G-traffic forwarding for redundant G-sources and fault detectionAssuming there is (*,G) or (S,G) state for the Single Flow Group with Output Interface list entries associated to remote EVPN PEs, upon receiving G-traffic on a S-ES, the upstream PE will add a S-ESI label at the bottom of the stack before forwarding the traffic to the remote EVPN PEs. This label is allocated from a Domain-wide Common Block as described in step 3. If Point-to-multipoint or BIER PMSIs are used, this is not adding any new data path procedures on the upstream PEs (except that the ESI-label is allocated from a Domain-wide Common Block as described in ). However, if Ingress Replication or Assisted Replication are used, this document extends the procedures by pushing the S-ESI labels not only on packets sent to the PEs that shared the ES but also to the rest of the PEs in the tenant domain. This allows the downstream PEs to receive all the multicast packets from the redundant G-sources with a S-ESI label (irrespective of the PMSI type and the local ESes), and discard any packet that conveys a S-ESI label different from the primary S-ESI label (that is, the label associated to the selected primary S-ES), as discussed in step 4. If the last EVPN A-D per EVI or the last EVPN A-D per ES route for the primary S-ES is withdrawn, the downstream PE will immediately select a new primary S-ES and will change the Reverse Path Forwarding check. Note that if the S-ES is re-used for multiple tenant domains by the upstream PEs, the withdrawal of all the EVPN A-D per-ES routes for a S-ES provides a mass withdrawal capability that makes a downstream PE to change the Reverse Path Forwarding check in all the tenant domains using the same S-ES. The withdrawal of the last EVPN S-PMSI A-D route for a given (*,G)/(S,G) that represents a Single Flow Group SHOULD make the downstream PE remove the S-ESI label based Reverse Path Forwarding check on (*,G)/(S,G).

Domain-wide Common Block Labels are specified in and this document makes use of them for the procedures described in . assumes that Domain-wide Common Block labels can only be used along with Multipoint-to-Multipoint, Point-to-Multipoint, or BIER tunnels and that, if the PMSI label is signaled as a Domain-wide Common Block label, then the ESI label used for multi-homing is also a Domain-wide Common Block label. This document extends the use of the Domain-wide Common Block allocation for ESI labels so that: Domain-wide Common Block allocated ESI labels MAY be used along with Ingress Replication tunnels, and Domain-wide Common Block allocated ESI labels MAY be used by PEs that do not use Domain-wide Common Block allocated PMSI labels. This control plane extension is indicated by adding the DCB-flag (Domain-wide Common Block flag) or the Context Label Space ID extended community to the EVPN A-D per ES route(s) advertised for the S-ES. The DCB-flag is encoded in the ESI Label Extended Community as follows:

This document defines the bit 5 in the Flags octet of the ESI Label Extended Community as the ESI-DCB-flag. When the ESI-DCB-flag is set, it indicates that the ESI label is a Domain-wide Common Block label. A received ESI label is considered a Domain-wide Common Block label if either of these two conditions is met: The ESI label is encoded in an ESI Label Extended Community with the ESI-DCB-flag set. The ESI label is signaled from a PE that advertised a PMSI label that is a Domain-wide Common Block label. As in this document also allows the use of context label space ID extended community. When the context label space ID extended community is advertised along with the ESI label in an EVPN A-D per ES route, the ESI label is from a context label space identified by the Domain-wide Common Block label in the Extended Community.

In addition to using the state of the EVPN A-D per EVI, EVPN A-D per ES or S-PMSI A-D routes to modify the Reverse Path Forwarding check on (*,G)/(S,G) as discussed in , Bidirectional Forwarding Detection (BFD) protocol MAY be used to monitor the status of the multipoint tunnels used to forward the Single Flow Group ppackets from the redundant G-sources. The BGP-BFD Attribute is advertised along with the S-PMSI A-D or Inclusive Multicast Ethernet Tag routes (depending on whether Inclusive PMSI or Selective PMSI trees are used) and the procedures described in are used to bootstrap multipoint BFD sessions on the downstream PEs.

illustrates the Hot Standby model in an Optimized Inter-Subnet Multicast (OISM) network. Consider S1 and S2 are redundant G-sources for the Single Flow Group (*,G1) in Broadcast Domain BD1 (any source using G1 is assumed to transmit an SFG). S1 and S2 are (all-active) multi-homed to upstream PEs, PE1 and PE2. The receivers are attached to downstream PEs, PE3 and PE5, in Broadcast Domains BD3 and BD1, respectively. S1 and S2 are assumed to be connected by a Link Aggregation Group to the multi-homing PEs, and the multicast traffic can use the link to either upstream PE. The diagram illustrates how S1 sends the G-traffic to PE1 and PE1 forwards to the remote interested downstream PEs, whereas S2 sends to PE2 and PE2 forwards further. In this Hot Standby model, the interested downstream PEs will get duplicate G-traffic from the two G-sources for the same Single Flow Group. While the diagram shows that the two flows are forwarded by different upstream PEs, the all-active multi-homing procedures may cause that the two flows come from the same upstream PE. Therefore, finding out the upstream PE for the flow is not enough for the downstream PEs to program the required Reverse Path Forwarding check to avoid duplicate packets on the receiver.

|BD1|--+ | |+---+ | |+---+ | +--->+---+ | +------------+ +------------+ +------------+ | ^ | ^ | | IGMP | | IGMP R1 | J(*,G1) R3 | J(*,G1) ]]> In this scenario, the Hot Standby solution works as follows: Configuration of the upstream PEs, PE1 and PE2PE1 and PE2 are configured to know that G1 is a Single Flow Group for any source (a source prefix length could have been configured instead) and the redundant G-sources for G1 use S-ESIs ESI-1 and ESI-2 respectively. Both Ethernet Segments are configured in both PEs and their ESI value can be configured or auto-derived. The ESI-label values are allocated from a Domain-wide Common Block and are configured either locally or by a centralized controller. We assume ESI-1 is configured to use ESI-label-1 and ESI-2 to use ESI-label-2. The downstream PEs, PE3, PE4 and PE5 are configured to support Hot Standby mode and select the G-source with e.g., lowest ESI value. PE1 and PE2 advertise S-PMSI A-D (*,G1) and EVPN ES, A-D per ES and A-D per EVI routesBased on the configuration of step 1, PE1 and PE2 advertise an S-PMSI A-D (*,G1) route each. The route from each of the two PEs will include TWO ESI Label Extended Communities with ESI-1 and ESI-2 respectively, as well as route target BD1-RT plus SBD-RT and a flag that indicates that (*,G1) is a Single Flow Group. In addition, PE1 and PE2 advertise EVPN ES and A-D per ES/EVI routes for ESI-1 and ESI-2. The EVPN A-D per ES and per EVI routes will include the route target of the SBD, i.e.,: SBD-RT, so that they can be imported by the downstream PEs that are not attached to Broadcast Domain BD1, e.g., PE3 and PE4. The EVPN A-D per ES routes will convey ESI-label-1 for ESI-1 (on both PEs) and ESI-label-2 for ESI-2 (also on both PEs). Processing of EVPN A-D per ES/EVI routes and Reverse Path Forwarding checkPE1 and PE2 received each other's ES and A-D per ES/EVI routes. Regular procedures will be followed for the Designated Forwarder Election and programming of the ESI-labels for egress split-horizon filtering. PE3/PE4 import the EVPN A-D per ES/EVI routes in the SBD. Since PE3 has created a (*,G1) state based on local interest, PE3 will add a Reverse Path Forwarding check to (*,G1) so that packets coming with ESI-label-2 are discarded (lowest ESI value is assumed to give the primary S-ES). G-traffic forwarding and fault detectionPE1 receives G-traffic (S1,G1) on ES-1 that is forwarded within the context of Broadcast Domain BD1. Irrespective of the tunnel type, PE1 pushes ESI-label-1 at the bottom of the stack and the traffic gets to PE3 and PE5 with the mentioned ESI-label (PE4 has no local interested receivers). The G-traffic with ESI-label-1 passes the Reverse Path Forwarding check and it is forwarded to R1. In the same way, PE2 sends (S2,G1) with ESI-label-2, but this G-traffic does not pass the Reverse Path Forwarding check and gets discarded at PE3/PE5. If the link from S1 to PE1 fails, S1 will forward the (S1,G1) traffic to PE2 instead. PE1 withdraws the EVPN ES and A-D routes for ESI-1. Now both flows will be originated by PE2, however the Reverse Path Forwarding checks do not change in PE3/PE5. If subsequently, the link from S1 to PE2 fails, PE2 also withdraws the EVPN ES and A-D routes for ESI-1. Since PE3 and PE5 have no longer A-D per ES/EVI routes for ESI-1, they immediately change the Reverse Path Forwarding check so that packets with ESI-label-2 are now accepted. illustrates a scenario where sources S1 and S2 are single-homed to PE1 and PE2 respectively. This scenario is a sub-case of the one in . Now ES-1 only exists in PE1, hence only PE1 advertises the EVPN A-D per ES/EVI routes for ESI-1. Similarly, ES-2 only exists in PE2 and PE2 is the only PE advertising EVPN A-D routes for ESI-2. The same procedures as in apply to this use-case.

|BD1|--+ | |+---+ | |+---+ | |+---+ | +------------+ +------------+ +------------+ | ^ | ^ | | IGMP | | IGMP R1 | J(*,G1) R3 | J(*,G1) ]]>

Irrespective of the redundant G-sources being multi-homed or single-homed, if the tenant network has only one Broadcast Domain, e.g., BD1, the procedures of still apply, only that routes do not include any SBD route target, i.e.,: SBD-RT, and all the procedures apply to Broadcast Domain BD1 only.

The same Security Considerations described in are valid for this document. From a security perspective, out of the two methods described in this document, the Warm Standby method is considered lighter in terms of control plane and therefore its impact is low on the processing capabilities of the PEs. The Hot Standby method adds more burden on the control plane of all the PEs of the tenant with sources and receivers.

IANA is requested to allocate a bit in the Multicast Flags Extended Community registry that was introduced by . This bit indicates that a given (*,G) or (S,G) in an S-PMSI A-D route is associated with an SFG (Single Flow Group). This bit is called "Single Flow Group" bit and it is defined as follows: Bit Name Reference 4 Single Flow Group This Document

&RFC7432; &RFC6513; &RFC6514; &RFC9251; &I-D.ietf-bess-evpn-irb-mcast; &RFC8584; &RFC2119; &RFC8174; &I-D.ietf-bess-mvpn-evpn-aggregation-label; &RFC9136; &I-D.ietf-bess-evpn-bum-procedure-updates; &I-D.ietf-bess-evpn-pref-df; &RFC4364; &I-D.ietf-bess-evpn-bfd; &I-D.ietf-mpls-p2mp-bfd; &RFC7761;

The authors would like to thank Mankamana Mishra, Ali Sajassi and Greg Mirsky for their review and valuable comments.

In addition to the authors listed on the front page, the following people have significantly contributed to this document: Eric C. Rosen Email: erosen52@gmail.com