<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd" [ <!ENTITY RFC4861 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4861.xml"> <!ENTITY RFC7432 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7432.xml"> <!ENTITY RFC2119 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"> <!ENTITY RFC8174 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"> <!ENTITY I-D.ietf-bess-evpn-irb-extended-mobility SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-bess-evpn-irb-extended-mobility.xml"> <!ENTITY I-D.rbickhart-evpn-ip-mac-proxy-adv SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.rbickhart-evpn-ip-mac-proxy-adv.xml"> ]> <?rfc toc="yes"?> <?rfc tocompact="yes"?> <?rfc tocdepth="3"?> <?rfc tocindent="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?>"rfc2629-xhtml.ent"> <rfccategory="std"xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-bess-evpn-na-flags-09" number="9047" ipr="trust200902"submissionType="IETF"> <!--Generated by id2xml 1.5.0 on 2020-07-14T16:15:56Z --> <?rfc strict="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?> <?rfc symrefs="yes"?> <?rfc sortrefs="no"?> <?rfc text-list-symbols="o*+-"?> <?rfc toc="yes"?>submissionType="IETF" category="std" consensus="true" obsoletes="" updates="" xml:lang="en" tocInclude="true" tocDepth="3" symRefs="true" sortRefs="true" version="3"> <front> <title abbrev="EVPNNeighbor AdvertisementARP/ND Flags">Propagation of ARP/ND Flags inEVPN</title>an Ethernet Virtual Private Network (EVPN)</title> <seriesInfo name="RFC" value="9047"/> <author fullname="Jorge Rabadan" initials="J." role="editor" surname="Rabadan"> <organization>Nokia</organization> <address> <postal> <street>777 Middlefield Road</street> <city>Mountain View</city> <region>CA</region> <code>94043</code><country>USA</country><country>United States of America</country> </postal> <email>jorge.rabadan@nokia.com</email> </address> </author> <author fullname="Senthil Sathappan" initials="S." surname="Sathappan"> <organization>Nokia</organization> <address> <postal> <street>701 E. Middlefield Road</street><street>Mountain View, CA 94043 USA</street><city>Mountain View</city> <region>CA</region> <code>94043</code> <country>United States of America</country> </postal> <email>senthil.sathappan@nokia.com</email> </address> </author> <author fullname="Kiran Nagaraj" initials="K." surname="Nagaraj"> <organization>Nokia</organization> <address> <postal> <street>701 E. Middlefield Road</street><street>Mountain View, CA 94043 USA</street><city>Mountain View</city> <region>CA</region> <code>94043</code> <country>United States of America</country> </postal> <email>kiran.nagaraj@nokia.com</email> </address> </author> <author fullname="Wen Lin" initials="W." surname="Lin"> <organization abbrev="Juniper">Juniper Networks</organization> <address> <email>wlin@juniper.net</email> </address> </author> <dateday="1" month="December" year="2020"/>month="June" year="2021"/> <workgroup>BESS Workgroup</workgroup> <keyword>proxy-ARP</keyword> <keyword>proxy-ND</keyword> <keyword>proxy-ARP/ND</keyword> <keyword>ARP/ND extended community</keyword> <abstract> <t>This document defines an Extended Community that is advertised along with anEVPN MAC/IPEthernet Virtual Private Network (EVPN) Media Access Control (MAC) / IP Advertisement route and carries information relevant to theARP/ND resolution,Address Resolution Protocol (ARP) / Neighbor Discovery (ND) resolution so that an EVPNPEProvider Edge (PE) implementing a proxy-ARP/ND function in broadcast domains (BDs) or an ARP/ND(on IRB interfaces)function on Integrated Routing and Bridging (IRB) interfaces can reply to ARP Requests or NeighborSolicitationsSolicitation (NS) messages with the correct information.</t> </abstract> </front> <middle> <section anchor="sect-1"title="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>AnEthernet Virtual Private Network (EVPN)EVPN MAC/IP Advertisement route can optionally carry IPv4 or IPv6 addresses associated with a MAC address. RemoteProvider Edge (PE)PE routers can use this information to populate theirAddress Resolution Protocol (ARP)ARP orNeighbor Discovery (ND)ND tables onIntegrated Routing and Bridging (IRB)IRB interfaces or their proxy-ARP/ND tables inBroadcast Domains (BD).BDs. PEs can then reply locally (act as an ARP/ND proxy, as per <xreftarget="RFC7432"/>)target="RFC7432" format="default"/>) to IPv4 ARPrequestsRequests and IPv6 Neighbor Solicitation messages andreduce/suppressreduce or suppress the flooding produced by theAddress Resolutionaddress resolution procedure. However, the information conveyed in the EVPN MAC/IP Advertisement route may not be enough for the remote PE to reply to local ARP or ND requests. For example, if a PE learns anIPv6->MACIPv6 address and MAC address combination ND entry viaEVPN,EVPN (denoted by IPv6->MAC), the PE would not know if that particular IPv6->MAC pair belongs to a router or ahost, andhost or if that address is an anycast address, as this information is not carried in the EVPN MAC/IP Advertisement routes.</t> <t>This document defines an Extended Community that is advertised along with an EVPN MAC/IP Advertisement route and carries information relevant to the ARP/NDresolution,resolution so that an EVPN PE implementing a proxy-ARP/ND function can reply to ARP Requests or Neighbor Solicitations with the correct information. In particular, theFlagsflags defined in <xreftarget="RFC4861"/>target="RFC4861" format="default"/> can now be conveyed along with a MAC/IP Advertisementroute,route so that an egress EVPN PE can issue Neighbor Advertisement (NA) messages with the correctFlagflag information.</t> <t>TheFlagsflags are carried in the EVPN Address Resolution Protocol(ARP)and Neighbor Discovery(ND)(ARP/ND) Extended Community, as described in the following sections.</t> <section anchor="sect-1.1"title="Terminologynumbered="true" toc="default"> <name>Terminology andConventions"> <t>TheConventions</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t> <t>EVPN: Ethernethere. </t> <dl newline="false" indent="8"> <dt>EVPN:</dt><dd>Ethernet Virtual Private Networks, as in <xreftarget="RFC7432"/>.</t> <t>BD: Broadcasttarget="RFC7432" format="default"/></dd> <dt>BD:</dt><dd>Broadcast Domain, also described in <xreftarget="RFC7432"/>.</t> <t>ARP: Addresstarget="RFC7432" format="default"/></dd> <dt>ARP:</dt><dd>Address ResolutionProtocol.</t> <t>ND: NeighborProtocol</dd> <dt>ND:</dt><dd>Neighbor Discovery protocol, specified in <xreftarget="RFC4861"/>.</t> <t>PE:target="RFC4861" format="default"/></dd> <dt>PE:</dt><dd> Provider Edgerouter.</t> <t>CE: Customerrouter</dd> <dt>CE:</dt><dd>Customer Edgerouter.</t> <t>IRB: Integratedrouter</dd> <dt>IRB:</dt><dd>Integrated Routing and Bridginginterface.</t> <t>Proxy-ARP/ND:interface</dd> <dt>Proxy-ARP/ND:</dt><dd> A function on the EVPN PEs by which receivedAddress Resolution Protocol (ARP)ARP Requests orNeighbor Solicitation (NS)NS messages are replied to locally by the PE, without the need to flood the requests to remote PEs in the BD. In order to reply to ARP Requests or NS messages, the PE does a lookup on an ARP/ND table,thatwhich is a collection of IP->MAC entries learned by thePE.</t> <t>IP->MAC: anPE.</dd> <dt>IP->MAC:</dt><dd>An IP address and MAC address combination that represents a given host and is added to anAddress Resolution ProtocolARP table orNeighbor DiscoveryND table. This document uses IP->MAC generically for IPv4 and IPv6 addresses. When something is specific to IPv4, the document will useIPv4->MAC andIPv4->MAC; likewise, IPv6->MAC will be used when something is specific to IPv6 entriesonly.</t>only.</dd> </dl> <t>Familiarity with the terminology in <xreftarget="RFC7432"/>target="RFC4861" format="default"/> and <xreftarget="RFC4861"/>target="RFC7432" format="default"/> is expected.</t> </section> </section> <section anchor="sect-2"title="Thenumbered="true" toc="default"> <name>The EVPN ARP/ND ExtendedCommunity">Community</name> <t>This document defines a transitive EVPN Extended Community (Type field value of 0x06) with a Sub-Type of 0x08, as allocated by IANA. It is advertised along with EVPN MAC/IP Advertisement routes that carry an IPv4 or IPv6 address.</t><figure> <artwork><![CDATA[<artwork name="" type="" align="left" alt=""><![CDATA[ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=0x06 | Sub-Type=0x08 |Flags (1 octet)| Reserved=0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved=0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Flags field: 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | |I| |O|R| +-+-+-+-+-+-+-+-+ ]]></artwork></figure><t>The followingFlagsflags are defined in the Flags field, the third octet of the Extended Community:</t><t>R - Router Flag<dl newline="false" indent="5"> <dt>R:</dt><dd><t>Router flag (corresponds to Bit 23 of the Extended Community)</t> <t>Bit 7 of the Flags field is defined as the "RouterFlag".flag". When set, the RFlagflag indicates that the IPv6->MAC pair advertised in the MAC/IP Advertisementrouteroute, along with the ExtendedCommunityCommunity, belongs to an IPv6 router. If the RFlagflag is zero, the IPv6->MAC pair belongs to a host. The receiving PE implementing the ND function will use this information in Neighbor Advertisement messages for the associated IPv6 address. ThisFlagflag has no meaning for ARP IPv4->MAC entries andMUST<bcp14>MUST</bcp14> be ignored when the Extended Community is received with an EVPN MAC/IP Advertisement route for an IPv4->MACpair.</t> <t>O - Override Flagpair.</t></dd> <dt>O:</dt><dd><t>Override flag (corresponds to Bit 22 of the ExtendedCommunity)</t> <t>BitCommunity)</t><t> Bit 6 of the Flags field is defined as the "OverrideFlag".flag". An egress PE will normally advertise IPv6->MAC pairs with the OFlagflag set, and only when IPv6 "anycast" is enabled in the BD orinterface,interface will the PEwillsend an IPv6->MAC pair with the OFlagflag = 0. The ingress PE will install the ND entry with the received OFlagflag and will always use this OFlagflag value when replying to a Neighbor Solicitation for the IPv6 address. Similarly to the Router Flag, the OverrideFlagflag has no meaning for ARP IPv4->MAC entries andMUST<bcp14>MUST</bcp14> be ignored when the Extended Community is received with an EVPN MAC/IP Advertisement route for an IPv4->MACpair.</t> <t>I - Immutablepair.</t></dd> <dt>I:</dt><dd><t>Immutable ARP/ND BindingFlagflag (corresponds to Bit 20 of the Extended Community)</t> <t>Bit 4 of the Flags field is defined as the "Immutable ARP/ND BindingFlag".flag". When set, the egress PE indicates that the IP->MAC pair that was sent in an EVPN MAC/IP Advertisement route (along with the Extended Community) is a configured ARP/ND entry. In this case, the IP address in the EVPN MAC/IP Advertisement route can only be bound together with the MAC address specified in the same route, and not with any other MAC addresses received in a different route without the IFlag set.</t>flag set.</t></dd></dl> <t>Bits 0-3 and 5 are not assigned by this document. TheyMUST<bcp14>MUST</bcp14> be set tozero,zero and ignored on receipt.</t> <t>The reserved fields are set to 0 and ignored by the receiver.</t> </section> <section anchor="sect-3"title="Usenumbered="true" toc="default"> <name>Use of the EVPN ARP/ND ExtendedCommunity">Community</name> <t>This section describes the relevant procedures when advertising and processing the EVPN ARP/ND Extended Community. In all the proceduresbelowbelow, a "PE" must be interpreted as a "PEwhichthat supports theND/ARP proxy functionproxy-ARP/ND (introduced by <xreftarget="RFC7432"/>)target="RFC7432" format="default"/>) and implements the propagation of the ARP/NDFlagsflags that this document specifies".</t> <section anchor="sect-3.1"title="Transmissionnumbered="true" toc="default"> <name>Transmission of the EVPN ARP/ND ExtendedCommunity">Community</name> <t>When an IP->MAC entry is not learned via EVPN, a PE may learn IP->MAC pairs in the management plane (this will create static entries in the ARP/ND or proxy-ARP/ND table) or by snooping ARP orNeighbor Advertisement (NA)NA messages coming from the CE (this will create dynamic entries). Those static and dynamic IP->MAC entries will be advertised in EVPN MAC/IP Advertisement routes that use the EVPN ARP/ND Extended Community as follows:</t><t><list style="symbols"> <t>Advertised<ul spacing="normal"> <li>Advertised MAC/IP Advertisement routes for IPv6->MAC entriesMUST<bcp14>MUST</bcp14> include one (and only one) ARP/ND Extended Community with the R and OFlagflag values associated with the entry. ThoseFlagflag values are either dynamically learned (from NA messages) or configured in case of staticentries.</t> <t>MAC/IPentries.</li> <li>MAC/IP Advertisement routes for IPv4->MAC entriesMAY<bcp14>MAY</bcp14> include one ARP/ND Extended Community. If the EVPN ARP/ND Extended Community is advertised along with an EVPN IPv4/MAC Advertisement route, the R and OFlags SHOULDflags <bcp14>SHOULD</bcp14> be set tozero.</t> <t>Ifzero.</li> <li>If an IP->MAC pair is static (it has beenconfigured)configured), the corresponding MAC/IP Advertisement routeMUST<bcp14>MUST</bcp14> be sent along with an ARP/ND Extended Community with the IFlag set.</t> <t>Thisflag set.</li> <li>This Extended Community does not change the procedures described in <xreftarget="RFC7432"/>. Specificallytarget="RFC7432" format="default"/>. Specifically, the procedures for advertising the MAC Mobility Extended Community along with the MAC/IP Advertisement route are notchanged.</t> </list></t>changed.</li> </ul> </section> <section anchor="sect-3.2"title="Receptionnumbered="true" toc="default"> <name>Reception of the EVPN ARP/ND ExtendedCommunity">Community</name> <t>In addition to the procedures specified in <xreftarget="RFC7432"/>target="RFC7432" format="default"/>, a PE receiving a MAC/IP Advertisement route will process the EVPN ARP/ND Extended Community as follows:</t><t><list style="symbols"> <t>Only<ul spacing="normal"> <li>Only one EVPN ARP/ND Extended Community is expected to be received along with an EVPN MAC/IP Advertisement route. If more than one ARP/ND Extended Community is received, the PEMUST<bcp14>MUST</bcp14> consider only the first one on the list for processing purposes andMUST NOT<bcp14>MUST NOT</bcp14> propagate the rest of the ARP/ND ExtendedCommunities.</t> <t>TheCommunities.</li> <li>The R,OO, and IFlags MUSTflags <bcp14>MUST</bcp14> be ignored if they are advertised along with an EVPN MAC/IP Advertisement route that does not contain an IP (IPv4 or IPv6) address.OtherwiseOtherwise, they are processed asfollows.</t>follows.</li> <li> <t>R and OFlags processing:<list style="symbols"> <t>Ifflag processing:</t> <ul spacing="normal"> <li>If the EVPN MAC/IP Advertisement route contains an IPv6 address and the EVPN ARP/ND Extended Community, the PEMUST<bcp14>MUST</bcp14> add the R and OFlagflag values to the ND entry in the ND or proxy-NDtable,table and propagate the value of the R and O flags from the ARP/ND Extended Community to the Neighbor Advertisements when replying to aSolicitationsolicitation for the IPv6address.</t> <t>Ifaddress.</li> <li>If no EVPN ARP/ND Extended Community is received along with the route, the PE will add the default R and OFlagsflags to the entry. The default RFlag SHOULDflag <bcp14>SHOULD</bcp14> be an administrative choice. The default OFlag SHOULDflag <bcp14>SHOULD</bcp14> be1.</t> <t>A1.</li> <li>A PEMUST<bcp14>MUST</bcp14> ignore the received R and OFlagsflags for an EVPN MAC/IP Advertisement route that contains an IPv4->MACpair.</t> </list></t>pair.</li> </ul> </li> <li> <t>IFlag processing:<list style="symbols"> <t>Aflag processing:</t> <ul spacing="normal"> <li>A PE receiving an EVPN MAC/IP Advertisement route containing an IP->MAC and the IFlagflag setSHOULD<bcp14>SHOULD</bcp14> install the IP->MAC entry in the ARP/ND or proxy-ARP/ND table as an"Immutable"immutable binding". ThisImmutableimmutable binding entry will override an existing non-immutable binding for the same IP->MAC. The absence of the EVPN ARP/ND Extended Community in a MAC/IP Advertisement route indicates that the IP->MAC entry is not an"Immutable binding".</t> <t>Receiving"immutable binding".</li> <li>Receiving multiple EVPN MAC/IP Advertisement routes withI=1the I flag set to 1 for the same IP but a different MAC address is considered a misconfiguration or a transient error condition. If this happens in the network, a PE receiving multiple routes (withI=1the I flag set to 1 for the same IP and a different MAC address)SHOULD<bcp14>SHOULD</bcp14> update the IP->MAC entry with the latest received information. Note that if a configured IP1->MAC1 changes to point to a new MAC address, i.e., IP1->MAC2, the EVPN MAC/IP Advertisement route for IP1->MAC1 will be withdrawn before the EVPN MAC/IP Advertisement route for IP1->MAC2 isadvertised.</t> <t>Aadvertised.</li> <li>A PE originating an EVPN MAC/IP Advertisement route for IP1->MAC1 withI=1 MAYthe I flag set to 1 <bcp14>MAY</bcp14> also originate the route with theStatic bit"Sticky/static flag" set (in the MAC Mobility Extended Community). In such a case, the IP1->MAC1 binding is not only immutable but it cannot move as well. Even so, if an update for the sameIP1->MAC1immutable andstatic,static IP1->MAC1 is received from a different PE, one of the two routes will be selected. Thiscaseis analogous to the<xref target="RFC7432"/>case described in <xref target="RFC7432" sectionFormat="of" section="15.2"/> when two MAC/IP routes with theStatic bitstatic flag set are received, and the PE likewiseMUST<bcp14>MUST</bcp14> alert the operator of such asituation.</t> </list></t> </list>Insituation.</li> </ul> </li> </ul> <t>In a situation where a host (with an IP->MAC that is configured asImmutableimmutable binding in the attached PE) is allowed to move between PEs (that is, the associated MAC is non-static), PEs can receive multiple MAC/IPadvertisementAdvertisement routes for the same IP->MAC. In such situations, MAC mobility procedures as in <xreftarget="RFC7432"/>target="RFC7432" format="default"/> dictate the reachability of the MAC.</t> <t>As an example of the use of the IFlag,flag, consider PE1,PE2PE2, and PE3areattached to the same BD. PE1 originates an EVPN MAC/IP Advertisement route for IP1->MAC1 withI=1;the I flag set to 1 later on, PE2 also originates an EVPN MAC/IP Advertisement route IP1->MAC1 with a higher sequence number andI=1.the I flag set to 1. Then all the EVPN PEs attached to the same BDSHOULD<bcp14>SHOULD</bcp14> retain their IP1->MAC1 ARP/ND binding but update MAC1's forwarding destination to PE2.If forFor some reason, if PE3 originates an EVPN MAC/IP Advertisement route for IP1->MAC2 withI=0the I flag set to 0 (even with a higher sequence number), then the EVPN PEs in the BD will not update their IP1->MAC1 ARP/NDbindings,bindings since IP1 is bound to MAC1 (MAC2SHOULD<bcp14>SHOULD</bcp14> still be programmed in thelayer-2Layer 2 BDs). This is considered a misconfiguration in PE3.</t><t>The use of<t>When theFlag I=1 assumes thatI flag is set to 1, a given IP is assumed to be always bound to the same MACaddress, and thereforeaddress; therefore, the mobility procedures described in <xreftarget="I-D.ietf-bess-evpn-irb-extended-mobility"/>target="I-D.ietf-bess-evpn-irb-extended-mobility" format="default"/> for "Host IP move to a new MAC" will not apply.</t> </section> </section> <section anchor="sect-4"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>The same security considerations described in <xreftarget="RFC7432"/>target="RFC7432" format="default"/> apply to this document. In general, it is worth noting that the use ofProxy ARP/NDproxy-ARP/ND in EVPN BDs may add some security risks. Attackers can make use of ARP/ND messages to create state in all the PEs attached to the same BD as the attacker and exhaust resources in those PEs. Therefore, additional security mechanisms may be needed. Some examples of such additional security mechanisms aree.g., limitlimiting the number ofProxy ARP/NDproxy-ARP/ND entriesper-BD/per-port,per BD and/or per port ormonitorclosely monitoring the rate at which hosts create dynamicProxy-ARP/NDproxy-ARP/ND entries.</t> <t>In addition, this document adds pieces of information that impactonthe way ARP/ND entries are installed in ARP/ND and/or proxy-ARP/NDtables, and thereforetables and, therefore, impacts the resolution protocols for IPv4 and IPv6 addresses. For instance, if a given IPv6->MAC binding is configured with the wrong R or OFlagsflags (intentionally or not) on a given PE, the rest of the PEs attached to the same BD will install the wrong information for the IPv6->MAC. This will cause all the PEs in the BD to reply to Neighbor Solicitations for the IPv6 withNeighbor Advertisement (NA)NA messages containing the wrong R and OFlags.flags. For example, as specified in <xreftarget="RFC4861"/>,target="RFC4861" format="default"/>, the receiver ofaan NA message with O not set will not update its existing cache entry for theIP->MAC, henceIP->MAC; hence, the communication between the owner of the IP address and the receiver of the NA message with the wrong O flag will fail. Similarly, the receiver ofaan NA message with the wrong Rflag,flag may update its Default Router List by incorrectly adding or removing an entry, whichcouldcould, forexampleexample, lead to sending traffic to a node that is not a router, causing the traffic to bedropped .</t>dropped.</t> <t>The IFlag,flag, or Immutable ARP/ND BindingFlag, introducesflag, is a useful securitytool so thattool, allowing an operatormakes sureto ensure a given IP address is always bound to the same MAC and that information is distributed to all the PEs attached to the same BD. ARP/ND spoofingattacks from hosts injectingattacks, in which a malicious host injects Gratuitous ARPs or unsolicitedNeighbor Advertisement messagesNAs for that IP address with a different MACaddressaddress, will not succeedto be programmedin programming the ARP/ND and proxy-ARP/ND tables and therefore the spoofer willavoid attracting traffic tonot receive thespoofer.</t>traffic.</t> </section> <section anchor="sect-5"title="IANA Considerations"> <t>This document request that the Name ofnumbered="true" toc="default"> <name>IANA Considerations</name> <t>IANA has changed thecurrently registered valuename for Sub-Type Value 0x08 in theEVPN"EVPN Extended CommunitySub-TypesSub-Types" registry(https://www.iana.org/assignments/bgp-extended-communities/bgp-extended-communities.xhtml#evpn) be changed to:</t> <texttable> <ttcol>Sub-Type</ttcol> <ttcol>Name</ttcol> <ttcol>Reference</ttcol> <c>0x08</c> <c>ARP/ND Extended Community</c> <c>[this document]</c> </texttable> <t>This document also requests<xref target="IANA-BGP-EXT-COMM" format="default"/> to the following:</t> <table align="center"> <name>Updated Value in the "EVPN Extended Community Sub-Types" Registry</name> <thead> <tr> <th align="left">Sub-Type Value</th> <th align="left">Name</th> <th align="left">Reference</th> </tr> </thead> <tbody> <tr> <td align="left">0x08</td> <td align="left">ARP/ND Extended Community</td> <td align="left">RFC 9047</td> </tr> </tbody> </table> <t>IANA has created thecreation of a registry called"ARP/ND Extended Community Flags" registry, where the following initial allocationsarehave been made:</t><texttable> <ttcol>Flag position</ttcol> <ttcol>Name</ttcol> <ttcol>Reference</ttcol> <c>0-3</c> <c>Unassigned</c> <c>-</c> <c>4</c> <c>Immutable<table align="center"> <name>Initial Values of the "ARP/ND Extended Community Flags" Registry</name> <thead> <tr> <th align="left">Flag Position</th> <th align="left">Name</th> <th align="left">Reference</th> </tr> </thead> <tbody> <tr> <td align="left">0-3</td> <td align="left">Unassigned</td> <td align="left"></td> </tr> <tr> <td align="left">4</td> <td align="left">Immutable ARP/ND Binding Flag(I)</c> <c>[this document]</c> <c>5</c> <c>Unassigned</c> <c>-</c> <c>6</c> <c>Override Flag (O)</c> <c>[this document]</c> <c>7</c> <c>Router Flag (R)</c> <c>[this document]</c> </texttable>(I)</td> <td align="left">RFC 9047</td> </tr> <tr> <td align="left">5</td> <td align="left">Unassigned</td> <td align="left"></td> </tr> <tr> <td align="left">6</td> <td align="left">Override Flag (O)</td> <td align="left">RFC 9047</td> </tr> <tr> <td align="left">7</td> <td align="left">Router Flag (R)</td> <td align="left">RFC 9047</td> </tr> </tbody> </table> <t>The registrationprocedurepolicy for this registry is StandardsAction.Action <xref target="RFC8126" format="default"/>. This registryshould beis located in theBorder"Border Gateway Protocol (BGP) ExtendedCommunities generalCommunities" registry(https://www.iana.org/assignments/bgp-extended-communities/bgp-extended-communities.xhtml).</t><xref target="IANA-BGP-EXT-COMM" format="default"/>.</t> <t>Note that theFlagflag position 5 is left unassigned and not used in this specification since it was previously requested by <xreftarget="I-D.rbickhart-evpn-ip-mac-proxy-adv"/>.</t>target="I-D.rbickhart-evpn-ip-mac-proxy-adv" format="default"/>.</t> </section> </middle> <back> <displayreference target="I-D.ietf-bess-evpn-irb-extended-mobility" to="EXTENDED-MOBILITY"/> <displayreference target="I-D.rbickhart-evpn-ip-mac-proxy-adv" to="EVPN-IP-MAC-PROXY"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4861.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7432.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references> <references> <name>Informative References</name> <reference anchor='I-D.ietf-bess-evpn-irb-extended-mobility'> <front> <title>Extended Mobility Procedures for EVPN-IRB</title> <author initials='N' surname='Malhotra' fullname='Neeraj Malhotra' role="editor"> <organization /> </author> <author initials='A' surname='Sajassi' fullname='Ali Sajassi'> <organization /> </author> <author initials='A' surname='Pattekar' fullname='Aparna Pattekar'> <organization /> </author> <author initials='A' surname='Lingala' fullname='Avinash Lingala'> <organization /> </author> <author initials='J' surname='Rabadan' fullname='Jorge Rabadan'> <organization /> </author> <author initials='J' surname='Drake' fullname='John Drake'> <organization /> </author> <date month='March' day='15' year='2021' /> </front> <seriesInfo name='Internet-Draft' value='draft-ietf-bess-evpn-irb-extended-mobility-05' /> <format type='TXT' target='http://www.ietf.org/internet-drafts/draft-ietf-bess-evpn-irb-extended-mobility-05.txt' /> </reference> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.rbickhart-evpn-ip-mac-proxy-adv.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/> <reference anchor="IANA-BGP-EXT-COMM" target="https://www.iana.org/assignments/bgp-extended-communities"> <front> <title>Border Gateway Protocol (BGP) Extended Communities</title> <author><organization>IANA</organization></author> </front> </reference> </references> </references> <section anchor="sect-6"title="Acknowledgments">numbered="false" toc="default"> <name>Acknowledgments</name> <t>The authors would like to thankAli Sajassi<contact fullname="Ali Sajassi"/> for his feedback.</t> </section></middle> <back> <references title="Normative References"> &RFC4861; &RFC7432; &RFC2119; &RFC8174; </references> <references title="Informative References"> &I-D.ietf-bess-evpn-irb-extended-mobility; <reference anchor="I-D.rbickhart-evpn-ip-mac-proxy-adv"> <front> <title>Proxy IP->MAC Advertisement in EVPNs</title> <author fullname="R. Bickhart" initials="R" surname="Bickhart"> <organization>Twitch</organization> </author> <date day="23" month="January" year="2020"/> </front> </reference> </references></back> </rfc>