EVN6: A Framework of Mapping of Ethernet Virtual Network to IPv6 Underlay

Ethernet Virtual Network is network model of Layer-2 built on top of the underlay to provide connectivity between dispersed customer sites across public network. This overlay L2 virtual network is used to carry the Ethernet data from the individual hosts in an encapsulated format over a logical tunnel, as if they were connected using the same LAN. Ethernet Virtual Network can serve scenarios such as campus networks, enterprise branch interconnections, data center networks, wide area IP bearer networks, and SD-WAN. There have been multiple solutions, they may differ in the types of underlying networks or encapsulation methods, besides, they usually serve different scenarios. VXLAN is a network virtualization technology which has been used mainly in data centers. VXLAN uses MAC-in-UDP encapsulation for packets, specifically, it encapsulates original Ethernet frames into UDP packets. It then encapsulates the UDP packets with the IP header and Ethernet header of the physical network as outer headers, enabling these packets to be routed across the network like ordinary IP packets. VPLS make use of MPLS and VPN protocols to provide a virtual LAN between multiple locations. It is basically a way to provide Ethernet-based multi-point to multi-point communication over MPLS networks. VPLS operates by creating a virtual ‘switch’ at the customer’s edge (CE) and the provider’s edge (PE) of their respective networks. The new framework, namely EVN6, proposed in this document aims to efficiently carry Ethernet Virtual Networks in IPv6 networks. It provides a methodology for dynamically creating a tunnel on the IPv6 network to transparently forward Ethernet frame when communication is required between a source and destination node in a Ethernet Virtual Network. In this scheme, Ethernet frame to be transmitted is directly placed in the payload field of IPv6 packet without adding additional payload, the MAC address of the hosts that needs to communicate, the identification of the Ethernet Virtual Network and the IPv6 prefix of the site can be directly mapped to the IPv6 addresses. With EVN6 implementation, any two host can communicate, regardless of the underlying IPv6 network structure and other details. This document specifies EVN6’s overall architecture, typical workflow, Layer-2 multicast and broadcast processing, etc.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The following terms are defined and used in this document, EVN6: Multi-site Ethernet Virtual Network built on IPv6 Network E-ADPT: Ethernet Adaptor IID: Interface Identifier(Section 2.5.1 of ) VEI: Virtual Ethernet Identification, VEI is used to identify and distinguish different Ethernet Virtual Network instances across the entire network, the length of VEI is 32 bits MAC-VRF: A Virtual Routing and Forwarding table for Media Access Control (MAC) addresses on a PE（Section 3 of ）, it stores IPv6 site prefix, VEI of the Ethernet Virtual Network and other information of each MAC address PE: Provider Edge Router

As a common underlay infrastructure, IPv6 network should simultaneously support multiple Ethernet Virtual Networks. To distinguish different Ethernet Virtual Network instances, VEI with a length of 32-bits is used to globally identify them, and it can identify up to 4.29 billion Ethernet Virtual Networks. Generally, Ethernet Virtual Network consists of multiple sites distributed in different geographically locations, and each site is connected to the IPv6 network through local PE at the edge of the IPv6 network. The PE device supports Ethernet Virtual Network services by introducing E-ADPT functional subsystem. E-ADPT directly encapsulates the Ethernet data frames to be transmitted by the customer site into IPv6 packets and sends them to the IPv6 network. For the received IPv6 packets destined to one of this local sites, E-ADPT removes their packet header and restores the original Ethernet frames.

For a given Ethernet Virtual Network, E-ADPT uses the IPv6 site prefix, i.e., Pref6 to identify different sites, so the Pref6 of different sites within a given Ethernet Virtual Network is also different. There are no special requirements for the type of address block used for Pref6, as long as it belongs to the global unicast address type and is reachable in global routing system. The Pref6 for each site can be allocated from the IPv6 address space owned by the operator. It should be noted that the length of Pref6 can be flexibly selected, it can be equal to or less than 64 bits. For Ethernet Virtual Network which has multiple sites, there is a 1: N relationship between the VEI and the site prefix of its sites. In order to send Ethernet frames to the correct destination site through the IPv6 network, MAC-VRF table in PE is used to store the MAC addresses of all hosts in the Ethernet Virtual Network, the corresponding VEI of the Ethernet Virtual Network and Pref6 of the sites they belong to. The format of each record in MAC-VRF is shown in figure 2, it contains MAC address, the VEI value, prefix of the corresponding site.

For E-ADPT, MAC-VRF provides a data foundation for encapsulating Ethernet frames into corresponding IPv6 packets, the data in it should be available before sending Ethernet frame to other sites, so the mechanism requires the sites to pre-send host MAC/Pref6 Mapping Advertisement to other sites. After receiving mapping relationship data of a host sent by other PEs, the PE stores the mapping data in the local MAC-VRF. The exchange of MAC/Pref6 can be carried out through the control layer, such as extending EVPN, however, this has been out of the scope of this document and will be discussed in other documents. When receiving Ethernet frame data sent by the host within the site, PE uses the destination MAC address as an index to search for the local MAC-VRF table. If a corresponding entry is found, PE extracts its site prefix Pref6 and VEI value, then uses the process in section 4.2 to encapsulate the Ethernet frame in an IPv6 packet. Afterwards, the IPv6 data packet is transmitted to the IPv6 network.

In this section, the Ethernet Virtual Network in figure 3 is used as an example to illustrate the workflow, its profile includes: the VEI value is N1, it has three branch sites connected to PE1, PE2, and PE3, with site prefixes Pref6-1, Pref6-2, and Pref6-3, respectively. Hosts H1, H2, H3 and H4 are located at sites 1, site 2 and site 3, respectively.

The workflow of EVN6 is illustrated as follows:

Step 1: EVN6 network creation on each PE device When creating an Ethernet Virtual Network instance on an IPv6 network, it should firstly enable the EVN6 function is in PE1, PE2, and PE3, then configure the relevant information of the Ethernet Virtual Network on this site, configure the Ethernet Virtual Network identifier VEI as N1, and set the site prefix Pref6 on the interface of the PE that the site accesses, indicating that the VEI of the Ethernet Virtual Network to which the site belongs to is N1, and its local site prefix is Pref6. This process can be configured manually or using specific systems such as network management. When the EVN6 instance is running, the sites within it exchange host MAC/Pref6 Mapping through the connected PEs, as described in Section 3.

Step 2: Host information search Host H2 in site 2 sends an Ethernet frame with the destination being Host H1 in site 1. Its frame header contains the MAC source address and MAC destination address, which are the MAC addresses of hosts H2 and H1, respectively. In this case, PE2 is the source PE and PE1 is the destination PE. After receiving the Ethernet frame in Site 2, PE2 uses the destination MAC address as an index to search for the local MAC-VRF table. If a corresponding entry is found, the Pref6 of remote site (i.e. Pref6-1) and VEI information are extracted; If not found, do not encapsulate and forward. Step 3: Address mapping and frame encapsulation In EVN6, each Ethernet frame needs to be associated with the VEI of the Ethernet Virtual Network to which the frame originates. Upon receiving the Ethernet frame, PE2 can determine its VEI value based on local configuration. Then the VEI obtained is divided into two sub-segments: VEI-S1 and VEI-S2, the first 16 bits are VEI-S1, and the last 16 bits are VEI-S2. VEI-S1 and VEI-S2 will be respectively put into IPv6 source and destination address of the new IPv6 packet as below. -The IPv6 source address is created by stateless mapping. Specifically, 64-bits Pref6-2 is put into the network prefix field, 16-bits VEI-S1 and source MAC address of the Ethernet frame is put into the field of Interface Identifier, i.e. IID, in order. -The IPv6 destination address is created by stateless mapping too. Specifically, 64-bits Pref6-1 is put into the network prefix field, 16-bits VEI-S2 and destination MAC address of the Ethernet frame is put into the field of Interface Identifier, i.e. IID, in order. The format of IPv6 source and destination addresses generated are shown in figure 4.

| 0 64 80 127 +-------------------+--------+------------+ IPv6 Destination Address | Pref6 of | VEI-S2 | Destination| | Destination PE | | MAC Address| +-------------------+--------+------------+ |<--------IID-------->| Figure 4: Format of IPv6 Source and Destination Addresses]]> Moreover, the Ethernet frame is put into the payload of IPv6 packet and the value of the "Next header" in the header is set to 143, indicating that the payload of the IPv6 packet is an Ethernet frame.

After the IPv6 packet is generated, it is sent to the IPv6 network via the underlying IPv6 network layer. Step 4: Packet forwarding in IPv6 network When receiving an IPv6 packet, routers in an IPv6 network use the destination address in the packet to look up the routing table and forward it. Since the IPv6 destination address contains the site prefix of the destination site, i.e. Pref6-1 in this case, which provides the egress PE of the packet, routers can forward the IPv6 packet carrying the Ethernet frame to the destination PE, i.e. PE1 in this case. It should be noted that this process does not require additional functionality for non-PE routers in the network, nor does it require extra IPv6 routing information to be added to the IPv6 network.

Step 5: Packet de-capsulation and Ethernet frame restoration As shown in figure 6, when receiving a IPv6 packet, the receiving PE, i.e., PE1, checks whether the destination address prefix matches the site prefix Pref6-1 on PE1? If yes, it extracts VEI-s1 and VEI-s2 from the IIDs of the source and destination IPv6 addresses, and concatenates them into VEI, then check if the VEI value is equal to N1? If yes, it then checks if the "Next header" value in the IPv6 header is 143? If yes, it then discards the IPv6 header, takes out the Ethernet frame, and sends the Ethernet frame to H1 within Site 1 based on its destination MAC address. Otherwise, the packet is discarded due to abnormal situation.

Link layer multicast is used to send Ethernet frames to multiple members of a group, these members are distributed on different sites of the Ethernet virtual network. The case here is used to illustrate multicast process: VN1 is an instance of Ethernet virtual network over IPv6 underlay, it consists of N1 sites, contains M1 hosts distributed on different sites, and its VEI is vn1. Of all the sites, site-0 has the site prefix Pref6-0 and is connected to the local PE1. G1 is a multicast group in instance VN1, it contains m1 members, and m1 is less or equal than M1. The members of G1 are distributed on n1 sites of instance VN1: site-1, site-2, …, Site-n1, since these sites are partial of the total site set, n1 is less or equal than N1. The site prefixes of each site are Pref6-1, Pref6-2, … , Pref6-n1. For multicast, MAC-VRF also maintains related entries, with MAC addresses being multicast addresses. Per IEEE 802.1Q, multicast addresses of Ethernet have the least significant bit in the first octet set to 1. Due to the presence of multiple destination sites for a given group, there are multiple site prefixes in each entryas follows:

Host H1 in site-0 sends a multicast frame to group G1. When the E-ADPT in PE1 receives the frame, it will lookup its MAC-VRF with the destination multicast address of the frame as the key. When a matching entry is found and its VEI field is vn1, the list of site prefix is extracted from the entry. Each item in the list is the site prefix of the remote site where the members of group G1 are located on. Then, for each remote site, the following operations are performed recurrently by the E-ADPT of PE1, { - Generate the source IPv6 address with the source MAC address, vn1 and Pref6-0 using the method in section 4.2. - Generate the source IPv6 address with destination multicast MAC address, vn1 and Pref6-k using the method in section 4.2. - Generate the IPv6 header using the IPv6 source and destination addresses created above, encapsulate the frame into IPv6 packet, then send the new IPv6 packet into the IPv6-only network. } Through the above n1 cycles the multicast frame is encapsulated into IPv6 packet and send the data out. When the packet traverses the IPv6-only network and reaches an egress PE, for instance, PE2. The E-ADPT of PE2 extracts its destination site prefix, i.e. Pref6-k, and VEI with value of vn1 from its IPv6 destination and source addresses. E-ADPT uses Pref6-k as the key to query the local MAC-VRF. If the corresponding entry is found, and the value of the VEI field is vn1, this indicates that one site attached to PE2 hosts the members of group G1, then, E-ADPT removes the IPv6 header and sends the released frame with the original multicast MAC address into this site.

Link layer broadcast is used to send Ethernet frames to any other hosts of the virtual Ethernet instance. Link layer broadcast is often used for IPv4 ARP and IPv6 neighbor discovery with ICMPv6 packet of type NS (type 135) [RFC4861]. Per 802.1Q, the destination address of the broadcast frame is FF-FF-FF-FF-FF-FF, and all hosts in the same Layer-2 network will receive the broadcast frame. EVN6 framework needs to support link layer broadcast as well. Herein, the case of instance VN1 in section 5.1 is used to illustrate the process of broadcast. Host H1 located in site-0 sends a broadcast Ethernet frame. After receiving the frame and detecting that the destination MAC address is a broadcast address, PE1 needs to transmit it to each remote site of instance VN1. The E-ADPT in PE1 queries the MAC-VRF with the value of vn1 as the key, retrieves all the site prefixes of instance VN1: Pref6-1, Pref6-2, … , Pref6-N1. Then, for each remote site, the following operations are performed recurrently by the E-ADPT of PE1, { - Generate the source IPv6 address with the source MAC address, vn1 and Pref6-0 of site-0 using the method in section 4.2. - Generate the source IPv6 address with the broadcast MAC address(ff:ff:ff:ff:ff:ff), Pref6-k and vn1 using the method in section 4.2. - Generate the IPv6 header using the IPv6 source and destination addresses created above, encapsulate the frame into IPv6 packet, then send the new IPv6 packet into the IPv6-only network. } Through the above N1-1 cycles the broadcast frame is encapsulated into IPv6 packets and send the data out. When the packet traverses the IPv6-only network and reaches an egress PE, for instance, PE2. The E-ADPT of PE2 extracts its Pref6-k and VEI with the value of vn1 from the destination IPv6 address and source IPv6 address of the packet. E-ADPT uses Pref6-k as the key to query the local MAC-VRF. If the corresponding entry is found and its VEI value is also vn1, this indicates that the site on PE2 is one site of instance VN1, then, E-ADPT remove the IPv6 header sends the broadcast frame to this site.

In the EVN6 framework, PE devices located at the edge of the network encapsulate Ethernet frames in IPv6 packets and support transmission between different sites. When generating the outer IPv6 header, the PE device maps information such as the IPv6 address prefix of the site, the Mac address of the host, and the identity of the virtual network to the IPv6 address of the outer encapsulation header, which applies to both the source and destination addresses. In this way, the outer IPv6 address is dynamically generated based on information such as MAC address. For any host to host communication, even if the source and destination hosts are in the same virtual private network, when their source and destination address pairs are different, the generated outer encapsulated IP address is also different. The outer IPv6 address varies with the MAC address of the Ethernet frame, this is different from the traditional encapsulation scheme of pre-configuring tunnel IP addresses, as statically configured tunnel endpoint addresses are likely to become the target of DDOS attacks. In EVN6, tunnel encapsulation adopts dynamically generated tunnel endpoint IPv6 addresses, which avoids the occurrence of DDOS attacks caused by statically pre-configured tunnel addresses. From this perspective, this solution improves the security of Ethernet virtual networks.

Compared with existing overlay approaches, EVN6 is perceived to have the following major advantages, 1)Improved forwarding efficiency EVN6 encapsulates Ethernet frame into IPv6 packet without extra encapsulation headers, compared with existing approaches, such as VxLAN, encapsulation and processing cost can be reduced. 2) High delivery flexibility EVN6 service can be provisioned to customer site as long as its access to lPv6 Internet is available. There is no specific requirement for the interworking between ISPs, so it can be easily deployed in multi-operator environment. 3)Enhanced anti-DDoS capability With EVN6 tunnel endpoint addresses are generated dynamically and there is no pre-configured static tunnel endpoint address, so the risk of DDoS attack to pre-configured static address can be avoided. 4)Source address based Traffic load-balancing Since the outer IPv6 source and destination addresses are generated by mapping source and destination host MAC address, VEI and site prefixes, different hosts within the same site have different outer IPv6 addresses, so traffic load balancing can be implemented based on the source IPv6 addresses.

There are no other special IANA considerations.