diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc4110.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc4110.txt')
-rw-r--r-- | doc/rfc/rfc4110.txt | 4595 |
1 files changed, 4595 insertions, 0 deletions
diff --git a/doc/rfc/rfc4110.txt b/doc/rfc/rfc4110.txt new file mode 100644 index 0000000..3071704 --- /dev/null +++ b/doc/rfc/rfc4110.txt @@ -0,0 +1,4595 @@ + + + + + + +Network Working Group R. Callon +Request for Comments: 4110 Juniper Networks +Category: Informational M. Suzuki + NTT Corporation + July 2005 + + + A Framework for Layer 3 + Provider-Provisioned Virtual Private Networks (PPVPNs) + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2005). + +Abstract + + This document provides a framework for Layer 3 Provider-Provisioned + Virtual Private Networks (PPVPNs). This framework is intended to aid + in the standardization of protocols and mechanisms for support of + layer 3 PPVPNs. It is the intent of this document to produce a + coherent description of the significant technical issues that are + important in the design of layer 3 PPVPN solutions. Selection of + specific approaches, making choices regarding engineering tradeoffs, + and detailed protocol specification, are outside of the scope of this + framework document. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1. Objectives of the Document . . . . . . . . . . . . . . . 3 + 1.2. Overview of Virtual Private Networks . . . . . . . . . . 4 + 1.3. Types of VPNs. . . . . . . . . . . . . . . . . . . . . . 7 + 1.3.1. CE- vs PE-based VPNs . . . . . . . . . . . . . . 8 + 1.3.2. Types of PE-based VPNs . . . . . . . . . . . . . 9 + 1.3.3. Layer 3 PE-based VPNs. . . . . . . . . . . . . . 10 + 1.4. Scope of the Document. . . . . . . . . . . . . . . . . . 10 + 1.5. Terminology. . . . . . . . . . . . . . . . . . . . . . . 11 + 1.6. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . 13 + 2. Reference Models . . . . . . . . . . . . . . . . . . . . . . . 14 + 2.1. Reference Model for Layer 3 PE-based VPN . . . . . . . . 14 + 2.1.1. Entities in the Reference Model. . . . . . . . . 16 + 2.1.2. Relationship Between CE and PE . . . . . . . . . 18 + + + +Callon & Suzuki Informational [Page 1] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + 2.1.3. Interworking Model . . . . . . . . . . . . . . . 19 + 2.2. Reference Model for Layer 3 Provider-Provisioned + CE-based VPN . . . . . . . . . . . . . . . . . . . . . . 21 + 2.2.1. Entities in the Reference Model. . . . . . . . . 22 + 3. Customer Interface . . . . . . . . . . . . . . . . . . . . . . 23 + 3.1. VPN Establishment at the Customer Interface. . . . . . . 23 + 3.1.1. Layer 3 PE-based VPN . . . . . . . . . . . . . . 23 + 3.1.1.1. Static Binding . . . . . . . . . . . . 24 + 3.1.1.2. Dynamic Binding. . . . . . . . . . . . 24 + 3.1.2. Layer 3 Provider-Provisioned CE-based VPN. . . . 25 + 3.2. Data Exchange at the Customer Interface. . . . . . . . . 25 + 3.2.1. Layer 3 PE-based VPN . . . . . . . . . . . . . . 25 + 3.2.2. Layer 3 Provider-Provisioned CE-based VPN. . . . 26 + 3.3. Customer Visible Routing . . . . . . . . . . . . . . . . 26 + 3.3.1. Customer View of Routing for Layer 3 PE-based + VPNs . . . . . . . . . . . . . . . . . . . . . . 26 + 3.3.1.1. Routing for Intranets . . . . . . . . 27 + 3.3.1.2. Routing for Extranets . . . . . . . . 28 + 3.3.1.3. CE and PE Devices for Layer 3 + PE-based VPNs. . . . . . . . . . . . . 29 + 3.3.2. Customer View of Routing for Layer 3 Provider- + Provisioned CE-based VPNs. . . . . . . . . . . . 29 + 3.3.3. Options for Customer Visible Routing . . . . . . 30 + 4. Network Interface and SP Support of VPNs . . . . . . . . . . . 32 + 4.1. Functional Components of a VPN . . . . . . . . . . . . . 32 + 4.2. VPN Establishment and Maintenance. . . . . . . . . . . . 34 + 4.2.1. VPN Discovery . . . . . . . . . . . . . . . . . 35 + 4.2.1.1. Network Management for Membership + Information. . . . . . . . . . . . . . 35 + 4.2.1.2. Directory Servers. . . . . . . . . . . 36 + 4.2.1.3. Augmented Routing for Membership + Information. . . . . . . . . . . . . . 36 + 4.2.1.4. VPN Discovery for Inter-SP VPNs. . . . 37 + 4.2.2. Constraining Distribution of VPN Routing + Information . . . . . . . . . . . . . . . . . . 38 + 4.2.3. Controlling VPN Topology . . . . . . . . . . . . 38 + 4.3. VPN Tunneling . . . . . . . . . . . . . . . . . . . . . 40 + 4.3.1. Tunnel Encapsulations. . . . . . . . . . . . . . 40 + 4.3.2. Tunnel Multiplexing. . . . . . . . . . . . . . . 41 + 4.3.3. Tunnel Establishment . . . . . . . . . . . . . . 42 + 4.3.4. Scaling and Hierarchical Tunnels . . . . . . . . 43 + 4.3.5. Tunnel Maintenance . . . . . . . . . . . . . . . 45 + 4.3.6. Survey of Tunneling Techniques . . . . . . . . . 46 + 4.3.6.1. GRE . . . . . . . . . . . . . . . . . 46 + 4.3.6.2. IP-in-IP Encapsulation . . . . . . . . 47 + 4.3.6.3. IPsec. . . . . . . . . . . . . . . . . 48 + 4.3.6.4. MPLS . . . . . . . . . . . . . . . . . 49 + 4.4. PE-PE Distribution of VPN Routing Information. . . . . . 51 + + + +Callon & Suzuki Informational [Page 2] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + 4.4.1. Options for VPN Routing in the SP. . . . . . . . 52 + 4.4.2. VPN Forwarding Instances . . . . . . . . . . . . 52 + 4.4.3. Per-VPN Routing . . . . . . . . . . . . . . . . 53 + 4.4.4. Aggregated Routing Model . . . . . . . . . . . . 54 + 4.4.4.1. Aggregated Routing with OSPF or IS-IS. 55 + 4.4.4.2. Aggregated Routing with BGP. . . . . . 56 + 4.4.5. Scalability and Stability of Routing with Layer + 3 PE-based VPNs. . . . . . . . . . . . . . . . . 59 + 4.5. Quality of Service, SLAs, and IP Differentiated Services 61 + 4.5.1. IntServ/RSVP . . . . . . . . . . . . . . . . . . 61 + 4.5.2. DiffServ . . . . . . . . . . . . . . . . . . . . 62 + 4.6. Concurrent Access to VPNs and the Internet . . . . . . . 62 + 4.7. Network and Customer Management of VPNs. . . . . . . . . 63 + 4.7.1. Network and Customer Management. . . . . . . . . 63 + 4.7.2. Segregated Access of VPN Information . . . . . . 64 + 5. Interworking Interface . . . . . . . . . . . . . . . . . . . . 66 + 5.1. Interworking Function. . . . . . . . . . . . . . . . . . 66 + 5.2. Interworking Interface . . . . . . . . . . . . . . . . . 66 + 5.2.1. Tunnels at the Interworking Interface. . . . . . 67 + 5.3. Support of Additional Services . . . . . . . . . . . . . 68 + 5.4. Scalability Discussion . . . . . . . . . . . . . . . . . 69 + 6. Security Considerations. . . . . . . . . . . . . . . . . . . . 69 + 6.1. System Security. . . . . . . . . . . . . . . . . . . . . 70 + 6.2. Access Control . . . . . . . . . . . . . . . . . . . . . 70 + 6.3. Endpoint Authentication . . . . . . . . . . . . . . . . 70 + 6.4. Data Integrity . . . . . . . . . . . . . . . . . . . . . 71 + 6.5. Confidentiality. . . . . . . . . . . . . . . . . . . . . 71 + 6.6. User Data and Control Data . . . . . . . . . . . . . . . 72 + 6.7. Security Considerations for Inter-SP VPNs . . . . . . . 72 + Appendix A: Optimizations for Tunnel Forwarding. . . . . . . . . . 73 + A.1. Header Lookups in the VFIs . . . . . . . . . . . . . . . 73 + A.2. Penultimate Hop Popping for MPLS . . . . . . . . . . . . 73 + A.3. Demultiplexing to Eliminate the Tunnel Egress VFI Lookup 74 + Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . 75 + Normative References . . . . . . . . . . . . . . . . . . . . . . . 76 + Informative References . . . . . . . . . . . . . . . . . . . . . . 76 + Contributors' Addresses. . . . . . . . . . . . . . . . . . . . . . 80 + +1. Introduction + +1.1. Objectives of the Document + + This document provides a framework for Layer 3 Provider-Provisioned + Virtual Private Networks (PPVPNs). This framework is intended to aid + in standardizing protocols and mechanisms to support interoperable + layer 3 PPVPNs. + + + + + +Callon & Suzuki Informational [Page 3] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + The term "provider-provisioned VPNs" refers to Virtual Private + Networks (VPNs) for which the Service Provider (SP) participates in + management and provisioning of the VPN, as defined in section 1.3. + There are multiple ways in which a provider can participate in + managing and provisioning a VPN; therefore, there are multiple + different types of PPVPNs. The framework document discusses layer 3 + VPNs (as defined in section 1.3). + + First, this document provides a reference model for layer 3 PPVPNs. + Then technical aspects of layer 3 PPVPN operation are discussed, + first from the customer's point of view, then from the providers + point of view. Specifically, this includes discussion of the + technical issues which are important in the design of standards and + mechanisms for the operation and support of layer 3 PPVPNs. + Furthermore, technical aspects of layer 3 PPVPN interworking are + clarified. Finally, security issues as they apply to layer 3 PPVPNs + are addressed. + + This document takes a "horizontal description" approach. For each + technical issue, it describes multiple approaches. To specify a + particular PPVPN strategy, one must choose a particular way of + solving each problem, but this document does not make choices, and + does not select any particular approach to support VPNs. + + The "vertical description" approach is taken in other documents, + viz., in the documents that describe particular PPVPN solutions. + Note that any specific solution will need to make choices based on SP + requirements, customer needs, implementation cost, and engineering + tradeoffs. Solutions will need to chose between flexibility + (supporting multiple options) and conciseness (selection of specific + options in order to simplify implementation and deployment). While a + framework document can discuss issues and criteria which are used as + input to these choices, the specific selection of a solution is + outside of the scope of a framework document. + +1.2. Overview of Virtual Private Networks + + The term "Virtual Private Network" (VPN) refers to a set of + communicating sites, where (a) communication between sites outside + the set and sites inside the set is restricted, but (b) communication + between sites in the VPN takes place over a network infrastructure + that is also used by sites which are not in the VPN. The fact that + the network infrastructure is shared by multiple VPNs (and possibly + also by non-VPN traffic) is what distinguishes a VPN from a private + network. We will refer to this shared network infrastructure as the + "VPN Backbone". + + + + + +Callon & Suzuki Informational [Page 4] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + The logical structure of the VPN, such as addressing, topology, + connectivity, reachability, and access control, is equivalent to part + of or all of a conventional private network using private facilities + [RFC2764] [VPN-2547BIS]. + + In this document, we are concerned only with the case where the + shared network infrastructure (VPN backbone) is an IP and/or MPLS + network. Further, we are concerned only with the case where the + Service Provider's edge devices, whether at the provider edge (PE) or + at the Customer Edge (CE), determine how to route VPN traffic by + looking at the IP and/or MPLS headers of the packets they receive + from the customer's edge devices; this is the distinguishing feature + of Layer 3 VPNs. + + In some cases, one SP may offer VPN services to another SP. The + former SP is known as a carrier of carriers, and the service it + offers is known as "carrier of carriers" service. In this document, + in cases where the customer could be either an enterprise or SP + network, we will make use of the term "customer" to refer to the user + of the VPN services. Similarly we will use the term "customer + network" to refer to the user's network. + + VPNs may be intranets, in which the multiple sites are under the + control of a single customer administration, such as multiple sites + of a single company. Alternatively, VPNs may be extranets, in which + the multiple sites are controlled by administrations of different + customers, such as sites corresponding to a company, its suppliers, + and its customers. + + Figure 1.1. illustrates an example network, which will be used in + the discussions below. PE1 and PE2 are Provider Edge devices within + an SP network. CE1, CE2, and CE3 are Customer Edge devices within a + customer network. Routers r3, r4, r5, and r6 are IP routers internal + to the customer sites. + + + + + + + + + + + + + + + + + +Callon & Suzuki Informational [Page 5] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + ............ ................. ............ + . . . . . . + . +---+ +-------+ +-------+ +---+ . + . r3---| | | | | |----|CE2|---r5 . + . | | | | | | +---+ . + . |CE1|----| PE1 | | PE2 | : . + . | | | | | | +---+ . + . r4---| | | | | |----|CE3|---r6 . + . +---+ +-------+ +-------+ +---+ . + . Customer . . Service . . Customer . + . site 1 . . provider(s) . . site 2 . + ............ ................. ............ + + Figure 1.1.: VPN interconnecting two sites. + + In many cases, Provider Edge (PE) and Customer Edge (CE) devices may + be either routers or LSRs. + + In this document, the Service Providers' network is an IP or MPLS + network. It is desired to interconnect the customer network sites + via the Service Providers' network. Some VPN solutions require that + the VPN service be provided either over a single SP network, or over + a small set of closely cooperating SP networks. Other VPN solutions + are intended to allow VPN service to be provided over an arbitrary + set of minimally cooperating SP networks (i.e., over the public + Internet). + + In many cases, customer networks will make use of private IP + addresses [RFC1918] or other non-unique IP address (i.e., + unregistered addresses); there is no guarantee that the IP addresses + used in the customer network are globally unique. The addresses used + in one customer's network may overlap the addresses used in others. + However, a single PE device can be used to provide VPN service to + multiple customer networks, even if those customer networks have + overlapping addresses. In PE-based layer 3 VPNs, the PE devices may + route the VPN traffic based on the customer addresses found in the IP + headers; this implies that the PE devices need to maintain a level of + isolation between the packets from different customer networks. In + CE-based layer 3 VPNs, the PEs do not make routing decisions based on + the customer's private addresses, so this issue does not arise. For + either PE or CE-based VPNs, the fact that the VPNs do not necessarily + use globally unique address spaces also implies that IP packets from + a customer network cannot be transmitted over the SP network in their + native form. Instead, some form of encapsulation/tunneling must be + used. + + + + + + +Callon & Suzuki Informational [Page 6] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + Tunneling is also important for other reasons, such as providing + isolation between different customer networks, allowing a wide range + of protocols to be carried over an SP network, etc. Different QoS + and security characteristics may be associated with different + tunnels. + +1.3. Types of VPNs + + This section describes multiple types of VPNs, and some of the + engineering tradeoffs between different types. It is not up to this + document to decide between different types of VPNs. Different types + of VPNs may be appropriate in different situations. + + There is a wide spectrum of types of possible VPNs, and it is + difficult to split the types of VPNs into clearly distinguished + categories. + + As an example, consider a company making use of a private network, + with several sites interconnected via leased lines. All routing is + done via routers which are internal to the private network. + + At some point, the administrator of the private network might decide + to replace the leased lines by ATM links (using an ATM service from + an SP). Here again all IP-level routing is done between customer + premises routers, and managed by the private network administrator. + + In order to reduce the network management burden on the private + network, the company may decide to make use of a provider-provisioned + CE devices [VPN-CE]. Here the operation of the network might be + unchanged, except that the CE devices would be provided by and + managed by an SP. + + The SP might decide that it is too difficult to manually configure + each CE-CE link. This might lead the SP to replace the ATM links + with a layer 2 VPN service between CE devices [VPN-L2]. Auto- + discovery might be used to simplify configuration of links between CE + devices, and an MPLS service might be used between CE devices instead + of an ATM service (for example, to take advantage of the provider's + high speed IP or MPLS backbone). + + After a while the SP might decide that it is too much trouble to be + managing a large number of devices at the customers' premises, and + might instead physically move these routers to be on the provider + premises. Each edge router at the provider premises might + nonetheless be dedicated to a single VPN. The operation might remain + unchanged (except that links from the edge routers to other routers + in the private network become MAN links instead of LAN links, and the + link from the edge routers to provider core routers become LAN links + + + +Callon & Suzuki Informational [Page 7] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + instead of MAN links). The routers in question can now be considered + to be provider edge routers, and the service provided by the SP has + now become essentially a layer 3 VPN service. + + In order to minimize the cost of equipment, the provider might decide + to replace several dedicated PE devices with a single physical router + with the capability of running virtual routers (VR) [VPN-VR]. + Protocol operation may remain unchanged. In this case the provider + is offering a layer 3 VPN service making use of a VR capability. + Note that autodiscovery might be used in a manner which is very + similar to how it had been done in the layer 2 VPN case described + above (for example, BGP might be used between VRs for discovery of + other VRs supporting the same VPN). + + Finally, in order to simplify operation of routing protocols for the + private network over the SP network, the provider might decide to + aggregate multiple instances of routing into a single instance of BGP + [VPN-2547BIS]. + + In practice it is highly unlikely that any one network would actually + evolve through all of these approaches at different points in time. + However, this example illustrates that there is a continuum of + possible approaches, and each approach is relatively similar to at + least some of the other possible approaches for supporting VPN + services. Some techniques (such as auto-discovery of VPN sites) may + be common between multiple approaches. + +1.3.1. CE- vs PE-based VPNs + + The term "CE-based VPN" (or Customer Edge-based Virtual Private + Network) refers to an approach in which the PE devices do not know + anything about the routing or the addressing of the customer + networks. The PE devices offer a simple IP service, and expect to + receive IP packets whose headers contain only globally unique IP + addresses. What makes a CE-based VPN into a Provider-Provisioned VPN + is that the SP takes on the task of managing and provisioning the CE + devices [VPN-CE]. + + In CE-based VPNs, the backbone of the customer network is a set of + tunnels whose endpoints are the CE devices. Various kinds of tunnels + may be used (e.g., GRE, IP-in-IP, IPsec, L2TP, MPLS), the only + overall requirement being that sending a packet through the tunnel + requires encapsulating it with a new IP header whose addresses are + globally unique. + + For customer provisioned CE-based VPNs, provisioning and management + of the tunnels is the responsibility of the customer network + administration. Typically, this makes use of manual configuration of + + + +Callon & Suzuki Informational [Page 8] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + the tunnels. In this case the customer is also responsible for + operation of the routing protocol between CE devices. (Note that + discussion of customer provisioned CE-based VPNs is out of scope of + the document). + + For provider-provisioned CE-based VPNs, provisioning and management + of the tunnels is the responsibility of the SP. In this case the + provider may also configure routing protocols on the CE devices. + This implies that routing in the private network is partially under + the control of the customer, and partially under the control of the + SP. + + For CE-based VPNs (whether customer or provider-provisioned) routing + in the customer network treats the tunnels as layer 2 links. + + In a PE-based VPN (or Provider Edge-based Virtual Private Network), + customer packets are carried through the SP networks in tunnels, just + as they are in CE-based VPNs. However, in a PE-based VPN, the tunnel + endpoints are the PE devices, and the PE devices must know how to + route the customer packets, based on the IP addresses that they + carry. In this case, the CE devices themselves do not have to have + any special VPN capabilities, and do not even have to know that they + are part of a VPN. + + In this document we will use the generic term "VPN Edge Device" to + refer to the device, attached to both the customer network and the + VPN backbone, that performs the VPN-specific functions. In the case + of CE-based VPNs, the VPN Edge Device is a CE device. In the case of + PE-based VPNs, the VPN Edge Device is a PE device. + +1.3.2. Types of PE-based VPNs + + Different types of PE-based VPNs may be distinguished by the service + offered. + + o Layer 3 service + + When a PE receives a packet from a CE, it determines how to forward + the packet by considering both the packet's incoming link, and the + layer 3 information in the packet's header. + + o Layer 2 service + + When a PE receives a frame from a CE, it determines how to forward + the packet by considering both the packet's incoming link, and the + layer 2 information in the frame header (such as FR, ATM, or MAC + header). (Note that discussion of layer 2 service is out of scope + of the document). + + + +Callon & Suzuki Informational [Page 9] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +1.3.3. Layer 3 PE-based VPNs + + A layer 3 PE-based VPN is one in which the SP takes part in IP level + forwarding based on the customer network's IP address space. In + general, the customer network is likely to make use of private and/or + non-unique IP addresses. This implies that at least some devices in + the provider network needs to understand the IP address space as used + in the customer network. Typically this knowledge is limited to the + PE devices which are directly attached to the customer. + + In a layer 3 PE-based VPN, the provider will need to participate in + some aspects of management and provisioning of the VPNs, such as + ensuring that the PE devices are configured to support the correct + VPNs. This implies that layer 3 PE-based VPNs are by definition + provider-provisioned VPNs. + + Layer 3 PE-based VPNs have the advantage that they offload some + aspects of VPN management from the customer network. From the + perspective of the customer network, it looks as if there is just a + normal network; specific VPN functionality is hidden from the + customer network. Scaling of the customer network's routing might + also be improved, since some layer 3 PE-based VPN approaches avoid + the need for the customer's routing algorithm to see "N squared" + (actually N*(N-1)/2) point to point duplex links between N customer + sites. + + However, these advantages come along with other consequences. + Specifically, the PE devices must have some knowledge of the routing, + addressing, and layer 3 protocols of the customer networks to which + they attach. One consequence is that the set of layer 3 protocols + which can be supported by the VPN is limited to those supported by + the PE (which in practice means, limited to IP). Another consequence + is that the PE devices have more to do, and the SP has more + per-customer management to do. + + An SP may offer a range of layer 3 PE-based VPN services. At one end + of the range is a service limited to simply providing connectivity + (optionally including QoS support) between specific customer network + sites. This is referred to as "Network Connectivity Service". There + is a spectrum of other possible services, such as firewalls, user or + site of origin authentication, and address assignment (e.g., using + Radius or DHCP). + +1.4. Scope of the Document + + This framework document will discuss methods for providing layer 3 + PE-based VPNs and layer 3 provider-provisioned CE-based VPNs. This + may include mechanisms which will can be used to constrain + + + +Callon & Suzuki Informational [Page 10] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + connectivity between sites, including the use and placement of + firewalls, based on administrative requirements [PPVPN-REQ] + [L3VPN-REQ]. Similarly the use and placement of NAT functionality is + discussed. However, this framework document will not discuss methods + for additional services such as firewall administration and address + assignment. A discussion of specific firewall mechanisms and + policies, and detailed discussion of NAT functionality, are outside + of the scope of this document. + + This document does not discuss those forms of VPNs that are outside + of the scope of the IETF Provider-Provisioned VPN working group. + Specifically, this document excludes discussion of PPVPNs using VPN + native (non-IP, non-MPLS) protocols as the base technology used to + provide the VPN service (e.g., native ATM service provided using ATM + switches with ATM signaling). However, this does not mean to exclude + multiprotocol access to the PPVPN by customers. + +1.5. Terminology + + Backdoor Links: Links between CE devices that are provided by the end + customer rather than the SP; may be used to interconnect CE devices + in multiple-homing arrangements. + + CE-based VPN: An approach in which all the VPN-specific procedures + are performed in the CE devices, and the PE devices are not aware in + any way that some of the traffic they are processing is VPN traffic. + + Customer: A single organization, corporation, or enterprise that + administratively controls a set of sites belonging to a VPN. + + Customer Edge (CE) Device: The equipment on the customer side of the + SP-customer boundary (the customer interface). + + IP Router: A device which forwards IP packets, and runs associated IP + routing protocols (such as OSPF, IS-IS, RIP, BGP, or similar + protocols). An IP router might optionally also be an LSR. The term + "IP router" is often abbreviated as "router". + + Label Switching Router: A device which forwards MPLS packets and runs + associated IP routing and signaling protocols (such as LDP, RSVP-TE, + CR-LDP, OSPF, IS-IS, or similar protocols). A label switching router + is also an IP router. + + PE-Based VPNs: The PE devices know that certain traffic is VPN + traffic. They forward the traffic (through tunnels) based on the + destination IP address of the packet, and optionally on based on + other information in the IP header of the packet. The PE devices are + + + + +Callon & Suzuki Informational [Page 11] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + themselves the tunnel endpoints. The tunnels may make use of various + encapsulations to send traffic over the SP network (such as, but not + restricted to, GRE, IP-in-IP, IPsec, or MPLS tunnels). + + Private Network: A network which allows communication between a + restricted set of sites, over an IP backbone that is used only to + carry traffic to and from those sites. + + Provider Edge (PE) Device: The equipment on the SP side of the + SP-customer boundary (the customer interface). + + Provider-Provisioned VPNs (PPVPNs): VPNs, whether CE-based or + PE-based, that are actively managed by the SP rather than by the end + customer. + + Route Reflectors: An SP-owned network element that is used to + distribute BGP routes to the SP's BGP-enabled routers. + + Virtual Private Network (VPN): Restricted communication between a set + of sites, making use of an IP backbone which is shared by traffic + that is not going to or coming from those sites. + + Virtual Router (VR): An instance of one of a number of logical + routers located within a single physical router. Each logical router + emulates a physical router using existing mechanisms and tools for + configuration, operation, accounting, and maintenance. + + VPN Forwarding Instance (VFI): A logical entity that resides in a PE + that includes the router information base and forwarding information + base for a VPN. + + VPN Backbone: IP and/or MPLS network which is used to carry VPN + traffic between the customer sites of a particular VPN. + + VPN Edge Device: Device, attached to both the VPN backbone and the + customer network, which performs VPN-specific functions. For + PE-based VPNs, this is the PE device; for CE-based VPNs, this is the + CE device. + + VPN Routing: Routing that is specific to a particular VPN. + + VPN Tunnel: A logical link between two PE or two CE entities, used to + carry VPN traffic, and implemented by encapsulating packets that are + transmitted between those two entities. + + + + + + + +Callon & Suzuki Informational [Page 12] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +1.6. Acronyms + + ATM Asynchronous Transfer Mode + BGP Border Gateway Protocol + CE Customer Edge + CLI Command Line Interface + CR-LDP Constraint-based Routing Label Distribution Protocol + EBGP External Border Gateway Protocol + FR Frame Relay + GRE Generic Routing Encapsulation + IBGP Internal Border Gateway Protocol + IKE Internet Key Exchange + IGP Interior Gateway Protocol + (e.g., RIP, IS-IS and OSPF are all IGPs) + IP Internet Protocol (same as IPv4) + IPsec Internet Protocol Security protocol + IPv4 Internet Protocol version 4 (same as IP) + IPv6 Internet Protocol version 6 + IS-IS Intermediate System to Intermediate System routing + protocol + L2TP Layer 2 Tunneling Protocol + LAN Local Area Network + LDAP Lightweight Directory Access Protocol + LDP Label Distribution Protocol + LSP Label Switched Path + LSR Label Switching Router + MIB Management Information Base + MPLS Multi Protocol Label Switching + NBMA Non-Broadcast Multi-Access + NMS Network Management System + OSPF Open Shortest Path First routing protocol + P Provider equipment + PE Provider Edge + PPVPN Provider-Provisioned VPN + QoS Quality of Service + RFC Request For Comments + RIP Routing Information Protocol + RSVP Resource Reservation Protocol + RSVP-TE Resource Reservation Protocol with Traffic + Engineering Extensions + SNMP Simple Network Management Protocol + SP Service Provider + VFI VPN Forwarding Instance + VPN Virtual Private Network + VR Virtual Router + + + + + + +Callon & Suzuki Informational [Page 13] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +2. Reference Models + + This section describes PPVPN reference models. The purpose of + discussing reference models is to clarify the common components and + pieces that are needed to build and deploy a PPVPN. Two types of + VPNs, layer 3 PE-based VPN and layer 3 provider-provisioned CE-based + VPN are covered in separated sections below. + +2.1. Reference Model for Layer 3 PE-based VPN + + This subsection describes functional components and their + relationship for implementing layer 3 PE-based VPN. + + Figure 2.1 shows the reference model for layer 3 PE-based VPNs and + Figures 2.2 and 2.3 show relationship between entities in the + reference model. + + As shown in Figure 2.1, the customer interface is defined as the + interface which exists between CE and PE devices, and the network + interface is defined as the interface which exists between a pair of + PE devices. + + Figure 2.2 illustrates a single logical tunnel between each pair of + VFIs supporting the same VPN. Other options are possible. For + example, a single tunnel might occur between two PEs, with multiple + per-VFI tunnels multiplexed over the PE to PE tunnel. Similarly, + there may be multiple tunnels between two VFIs, for example to + optimize forwarding within the VFI. Other possibilities will be + discussed later in this framework document. + + + + + + + + + + + + + + + + + + + + + + +Callon & Suzuki Informational [Page 14] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + +---------+ +------------------------------------+ +---------+ + | | | | | | + | | | +------+ +------+ : +------+ ++------+ : | | | | | | : | CE | +| CE | : | | | P | | PE | : |device| +|device| : +------+ VPN tunnel : |router| |device| : | of | +| of |-:--| |================:===============| |--:-|VPN A| +|VPN A| : | | : +------+ +------+ : +------+ ++------+ : | PE | : | | : | ++------+ : |device| Network interface | | : | +| CE | : | | : +------+ : +------+ +|device|-:--| |================:===============| |--:-| CE | +| of | : +------+ : VPN tunnel | PE | : |device| +|VPN B| : | | |device| : | of | ++------+ : | | +------------+ +------------+ | | : |VPN B| + | : | | | Customer | | Network | +------+ : +------+ + |Customer | | | management | | management | | | : | + |interface| | | function | | function | | |Customer | + | | | +------------+ +------------+ | |interface| + | | | | | | + +---------+ +------------------------------------+ +---------+ + | Access | |<---------- SP network(s) --------->| | Access | + | network | | single or multiple SP domains | | network | + + Figure 2.1: Reference model for layer 3 PE-based VPN. + + + +----------+ +----------+ ++-----+ |PE device | |PE device | +-----+ +| CE | | | | | | CE | +| dev | Access | +------+ | | +------+ | Access | dev | +| of | conn. | |VFI of| | VPN tunnel | |VFI of| | conn. | of | +|VPN A|----------|VPN A |======================|VPN A |----------|VPN A| ++-----+ | +------+ | | +------+ | +-----+ + | | | | ++-----+ Access | +------+ | | +------+ | Access +-----+ +| CE | conn. | |VFI of| | VPN tunnel | |VFI of| | conn. | CE | +| dev |----------|VPN B |======================|VPN B |----------| dev | +| of | | +------+ | | +------+ | | of | +|VPN B| | | | | |VPN B| ++-----+ +----------+ +----------+ +-----+ + + Figure 2.2: Relationship between entities in reference model (1). + + + + + + + + +Callon & Suzuki Informational [Page 15] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + +----------+ +----------+ ++-----+ |PE device | |PE device | +-----+ +| CE | | | | | | CE | +| dev | Access | +------+ | | +------+ | Access | dev | +| of | conn. | |VFI of| | | |VFI of| | conn. | of | +|VPN A|----------|VPN A | | | |VPN A |----------|VPN A| ++-----+ | +------+\| Tunnel |/+------+ | +-----+ + | >==================< | ++-----+ Access | +------+/| |\+------+ | Access +-----+ +| CE | conn. | |VFI of| | | |VFI of| | conn. | CE | +| dev |----------|VPN B | | | |VPN B |----------| dev | +| of | | +------+ | | +------+ | | of | +|VPN B| | | | | |VPN B| ++-----+ +----------+ +----------+ +-----+ + + Figure 2.3: Relationship between entities in reference model (2). + +2.1.1. Entities in the Reference Model + + The entities in the reference model are described below. + + o Customer edge (CE) device + + In the context of layer 3 provider-provisioned PE-based VPNs, a CE + device may be a router, LSR, or host that has no VPN-specific + functionality. It is attached via an access connection to a PE + device. + + o P router + + A router within a provider network which is used to interconnect PE + devices, but which does not have any VPN state and does not have + any direct attachment to CE devices. + + o Provider edge (PE) device + + In the context of layer 3 provider-provisioned PE-based VPNs, a PE + device implements one or more VFIs and maintains per-VPN state for + the support of one or more VPNs. It may be a router, LSR, or other + device that includes VFIs and provider edge VPN functionality such + as provisioning, management, and traffic classification and + separation. (Note that access connections are terminated by VFIs + from the functional point of view). A PE device is attached via an + access connection to one or more CE devices. + + + + + + + +Callon & Suzuki Informational [Page 16] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + o Customer site + + A customer site is a set of users that have mutual IP reachability + without use of a VPN backbone that goes beyond the site. + + o SP networks + + An SP network is an IP or MPLS network administered by a single + service provider. + + o Access connection + + An access connection represents an isolated layer 2 connectivity + between a CE device and a PE device. Access connections can be, + e.g., dedicated physical circuits, logical circuits (such as FR, + ATM, and MAC), or IP tunnels (e.g., using IPsec, L2TP, or MPLS). + + o Access network + + An access network provides access connections between CE and PE + devices. It may be a TDM network, layer 2 network (e.g., FR, ATM, + and Ethernet), or IP network over which access is tunneled (e.g., + using L2TP [RFC2661] or MPLS). + + o VPN tunnel + + A VPN tunnel is a logical link between two VPN edge devices. A VPN + packet is carried on a tunnel by encapsulating it before + transmitting it over the VPN backbone. + + Multiple VPN tunnels at one level may be hierarchically multiplexed + into a single tunnel at another level. For example, multiple per- + VPN tunnels may be multiplexed into a single PE to PE tunnel (e.g., + GRE, IP-in-IP, IPsec, or MPLS tunnel). This is illustrated in + Figure 2.3. See section 4.3 for details. + + o VPN forwarding instance (VFI) + + A single PE device is likely to be connected to a number of CE + devices. The CE devices are unlikely to all be in the same VPN. + The PE device must therefore maintain a separate forwarding + instances for each VPN to which it is connected. A VFI is a + logical entity, residing in a PE, that contains the router + information base and forwarding information base for a VPN. The + interaction between routing and VFIs is discussed in section 4.4.2. + + + + + + +Callon & Suzuki Informational [Page 17] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + o Customer management function + + The customer management function supports the provisioning of + customer specific attributes, such as customer ID, personal + information (e.g., name, address, phone number, credit card number, + and etc.), subscription services and parameters, access control + policy information, billing and statistical information, and etc. + + The customer management function may use a combination of SNMP + manager, directory service (e.g., LDAP [RFC3377]), or proprietary + network management system. + + o Network management function + + The network management function supports the provisioning and + monitoring of PE or CE device attributes and their relationships. + + The network management function may use a combination of SNMP + manager, directory service (e.g., LDAP [RFC3377]), or proprietary + network management system. + +2.1.2. Relationship Between CE and PE + + For robustness, a CE device may be connected to more than one PE + device, resulting in a multi-homing arrangement. Four distinct types + of multi-homing arrangements, shown in Figure 2.4, may be supported. + + + + + + + + + + + + + + + + + + + + + + + + + +Callon & Suzuki Informational [Page 18] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + +---------------- +--------------- + | | + +------+ +------+ + +---------| PE | +---------| PE | + | |device| | |device| SP network + | +------+ | +------+ ++------+ | +------+ | +| CE | | | CE | +--------------- +|device| | SP network |device| +--------------- ++------+ | +------+ | + | +------+ | +------+ + | | PE | | | PE | + +---------|device| +---------|device| SP network + +------+ +------+ + | | + +---------------- +--------------- +This type includes a CE device connected +to a PE device via two access connections. + (a) (b) + + +---------------- +--------------- + | | ++------+ +------+ +------+ +------+ +| CE |-----| PE | | CE |-----| PE | +|device| |device| |device| |device| SP network ++------+ +------+ +------+ +------+ + | | | | + | Backdoor | | Backdoor +--------------- + | link | SP network | link +--------------- + | | | | ++------+ +------+ +------+ +------+ +| CE | | PE | | CE | | PE | +|device|-----|device| |device|-----|device| SP network ++------+ +------+ +------+ +------+ + | | + +---------------- +--------------- + + (c) (d) + + Figure 2.4: Four types of double-homing arrangements. + +2.1.3. Interworking Model + + It is quite natural to assume that multiple different layer 3 VPN + approaches may be implemented, particularly if the VPN backbone + includes more than one SP network. For example, (1) each SP chooses + one or more layer 3 PE-based VPN approaches out of multiple vendor's + implementations, implying that different SPs may choose different + + + +Callon & Suzuki Informational [Page 19] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + approaches; and (2) an SP may deploy multiple networks of layer 3 + PE-based VPNs (e.g., an old network and a new network). Thus it is + important to allow interworking of layer 3 PE-based VPNs making use + of multiple different layer 3 VPN approaches. + + There are three scenarios that enable layer 3 PE-based VPN + interworking among different approaches. + + o Interworking function + + This scenario enables interworking using a PE that is located at + one or more points which are logically located between VPNs based + on different layer 3 VPN approaches. For example, this PE may be + located on the boundary between SP networks which make use of + different layer 3 VPN approaches [VPN-DISC]. A PE at one of these + points is called an interworking function (IWF), and an example + configuration is shown in Figure 2.5. + + +------------------+ +------------------+ + | | | | + +------+ VPN tunnel +------+ VPN tunnel +------+ + | |==============| |==============| | + | | | | | | + | PE | | PE | | PE | + | | |device| | | + |device| |(IWF) | |device| + | | VPN tunnel | | VPN tunnel | | + | |==============| |==============| | + +------+ +------+ +------+ + | | | | + +------------------+ +------------------+ + |<-VPN approach 1->| |<-VPN approach 2->| + + Figure 2.5: Interworking function. + + o Interworking interface + + This scenario enables interworking using tunnels between PEs + supporting by different layer 3 VPN approaches. As shown in Figure + 2.6, interworking interface is defined as the interface which + exists between a pair of PEs and connects two SP networks + implemented with different approaches. This interface is similar + to the customer interface located between PE and CE, but the + interface is supported by tunnels to identify VPNs, while the + customer interface is supported by access connections. + + + + + + +Callon & Suzuki Informational [Page 20] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + +------------------+ +------------------+ + | | : | | + +------+ VPN tunnel +------+Tunnel: +------+ VPN tunnel +------+ + | |============| |======:======| |============| | + | | | | : | | | | + | PE | | PE | : | PE | | PE | + | | | | : | | | | + |device| |device| : |device| |device| + | | VPN tunnel | |Tunnel: | | VPN tunnel | | + | |============| |======:======| |============| | + +------+ +------+ : +------+ +------+ + | | : | | + +------------------+ Interworking +------------------+ + |<-VPN approach 1->| interface |<-VPN approach 2->| + + Figure 2.6: Interworking interface. + + o Customer-based interworking + + If some customer site has a CE attached to one kind of VPN, and a + CE attached to another kind, communication between the two kinds of + VPN occurs automatically. + +2.2. Reference Model for Layer 3 Provider-Provisioned CE-based VPN + + This subsection describes functional components and their + relationship for implementing layer 3 provider-provisioned CE-based + VPN. + + Figure 2.7 shows the reference model for layer 3 provider-provisioned + CE-based VPN. As shown in Figure 2.7, the customer interface is + defined as the interface which exists between CE and PE devices. + + In this model, a CE device maintains one or more VPN tunnel + endpoints, and a PE device has no VPN-specific functionality. As a + result, the interworking issues of section 2.1.3 do not arise. + + + + + + + + + + + + + + + +Callon & Suzuki Informational [Page 21] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + +---------+ +------------------------------------+ +---------+ + | | | | | | + | | | +------+ +------+ : +------+ ++------+ : | | | | | | : | CE | +| CE | : | | | P | | PE | : |device| +|device| : +------+ VPN tunnel |router| |device| : | of | +| of |=:====================================================:=|VPN A| +|VPN A| : | | +------+ +------+ : +------+ ++------+ : | PE | | | : | ++------+ : |device| | | : | +| CE | : | | VPN tunnel +------+ : +------+ +|device|=:====================================================:=| CE | +| of | : +------+ | PE | : |device| +|VPN B| : | | |device| : | of | ++------+ : | | +------------+ +------------+ | | : |VPN B| + | : | | | Customer | | Network | +------+ : +------+ + |Customer | | | management | | management | | | : | + |interface| | | function | | function | | |Customer | + | | | +------------+ +------------+ | |interface| + | | | | | | + +---------+ +------------------------------------+ +---------+ + | Access | |<---------- SP network(s) --------->| | Access | + | network | | | | network | + + Figure 2.7: Reference model for layer 3 + provider-provisioned CE-based VPN. + +2.2.1. Entities in the Reference Model + + The entities in the reference model are described below. + + o Customer edge (CE) device + + In the context of layer 3 provider-provisioned CE-based VPNs, a CE + device provides layer 3 connectivity to the customer site. It may + be a router, LSR, or host that maintains one or more VPN tunnel + endpoints. A CE device is attached via an access connection to a + PE device and usually located at the edge of a customer site or + co-located on an SP premises. + + o P router (see section 2.1.1) + + o Provider edge (PE) device + + In the context of layer 3 provider-provisioned CE-based VPNs, a PE + device may be a router, LSR, or other device that has no + VPN-specific functionality. It is attached via an access + connection to one or more CE devices. + + + +Callon & Suzuki Informational [Page 22] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + o Customer Site (see section 2.1.1) + + o SP networks + + An SP network is a network administrated by a single service + provider. It is an IP or MPLS network. In the context of layer 3 + provider-provisioned CE-based VPNs, the SP network consists of the + SP's network and the SP's management functions that manage both its + own network and the customer's VPN functions on the CE device. + + o Access connection (see section 2.1.1) + + o Access network (see section 2.1.1) + + o VPN tunnel + + A VPN tunnel is a logical link between two entities which is + created by encapsulating packets within an encapsulating header for + purpose of transmission between those two entities for support of + VPNs. In the context of layer 3 provider-provisioned CE-based + VPNs, a VPN tunnel is an IP tunnel (e.g., using GRE, IP-in-IP, + IPsec, or L2TP) or an MPLS tunnel between two CE devices over the + SP's network. + + o Customer management function (see section 2.1.1) + + o Network management function + + The network management function supports the provisioning and + monitoring of PE or CE device attributes and their relationships, + covering PE and CE devices that define the VPN connectivity of the + customer VPNs. + + The network management function may use a combination of SNMP + manager, directory service (e.g., LDAP [RFC3377]), or proprietary + network management system. + +3. Customer Interface + +3.1. VPN Establishment at the Customer Interface + +3.1.1. Layer 3 PE-based VPN + + It is necessary for each PE device to know which CEs it is attached + to, and what VPNs each CE is associated with. + + VPN membership refers to the association of VPNs, CEs, and PEs. A + given CE belongs to one or more VPNs. Each PE is therefore + + + +Callon & Suzuki Informational [Page 23] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + associated with a set of VPNs, and a given VPN has a set of + associated PEs which are supporting that VPN. If a PE has at least + one attached CE belonging to a given VPN, then state information for + that VPN (e.g., the VPN routes) must exist on that PE. The set of + VPNs that exist on a PE may change over time as customer sites are + added to or removed from the VPNs. + + In some layer 3 PE-based PPVPN schemes, VPN membership information + (i.e., information about which PEs are attached to which VPNs) is + explicitly distributed. In others, the membership information is + inferred from other information that is distributed. Different + schemes use the membership information in different ways, e.g., some + to determine what set of tunnels to set up, some to constrain the + distribution of VPN routing information. + + A VPN site may be added or deleted as a result of a provisioning + operation carried out by the network administrator, or may be + dynamically added or deleted as a result of a subscriber initiated + operation; thus VPN membership information may be either static or + dynamic, as discussed below. + +3.1.1.1. Static Binding + + Static binding occurs when a provisioning action binds a particular + PE-CE access link to a particular VPN. For example, a network + administrator may set up a dedicated link layer connection, such as + an ATM VCC or a FR DLCI, between a PE device and a CE device. In + this case the binding between a PE-CE access connection and a + particular VPN to fixed at provisioning time, and remains the same + until another provisioning action changes the binding. + +3.1.1.2. Dynamic Binding + + Dynamic binding occurs when some real-time protocol interaction + causes a particular PE-CE access link to be temporarily bound to a + particular VPN. For example, a mobile user may dial up the provider + network and carry out user authentication and VPN selection + procedures. Then the PE to which the user is attached is not one + permanently associated with the user, but rather one that is + typically geographically close to where the mobile user happens to + be. Another example of dynamic binding is that of a permanent access + connection between a PE and a CE at a public facility such as a hotel + or conference center, where the link may be accessed by multiple + users in turn, each of which may wish to connect to a different VPN. + + To support dynamically connected users, PPP and RADIUS are commonly + used, as these protocols provide for user identification, + authentication and VPN selection. Other mechanisms are also + + + +Callon & Suzuki Informational [Page 24] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + possible. For example a user's HTTP traffic may be initially + intercepted by a PE and diverted to a provider hosted web server. + After a dialogue that includes user authentication and VPN selection, + the user can then be connected to the required VPN. This is + sometimes referred to as a "captive portal". + + Independent of the particular mechanisms used for user authentication + and VPN selection, an implication of dynamic binding is that a user + for a given VPN may appear at any PE at any time. Thus VPN + membership may change at any time as a result of user initiated + actions, rather than as a result of network provisioning actions. + This suggests that there needs to be a way to distribute membership + information rapidly and reliably when these user-initiated actions + take place. + +3.1.2. Layer 3 Provider-Provisioned CE-based VPN + + In layer 3 provider-provisioned CE-based VPNs, the PE devices have no + knowledge of the VPNs. A PE device attached to a particular VPN has + no knowledge of the addressing or routing information of that + specific VPN. + + CE devices have IP or MPLS connectivity via a connection to a PE + device, which just provides ordinary connectivity to the global IP + address space or to an address space which is unique in a particular + SPs network. The IP connectivity may be via a static binding, or via + some kind of dynamic binding. + + The establishment of the VPNs is done at each CE device, making use + of the IP or MPLS connectivity to the others. Therefore, it is + necessary for a given CE device to know which other CE devices belong + to the same VPN. In this context, VPN membership refers to the + association of VPNs and CE devices. + +3.2. Data Exchange at the Customer Interface + +3.2.1. Layer 3 PE-based VPN + + For layer 3 PE-based VPNs, the exchange is normal IP packets, + transmitted in the same form which is available for interconnecting + routers in general. For example, IP packets may be exchanged over + Ethernet, SONET, T1, T3, dial-up lines, and any other link layer + available to the router. It is important to note that those link + layers are strictly local to the interface for the purpose of + carrying IP packets, and are terminated at each end of the customer + interface. The IP packets may contain addresses which, while unique + within the VPN, are not unique on the VPN backbone. Optionally, the + data exchange may use MPLS to carry the IP packets. + + + +Callon & Suzuki Informational [Page 25] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +3.2.2. Layer 3 Provider-Provisioned CE-based VPN + + The data exchanged at the customer interface are always normal IP + packets that are routable on the VPN backbone, and whose addresses + are unique on the VPN backbone. Optionally, MPLS frames can be used, + if the appropriate label-switched paths exist across the VPN + backbone. The PE device does not know whether these packets are VPN + packets or not. At the current time, MPLS is not commonly offered as + a customer-visible service, so that CE-based VPNs most commonly make + use of IP services. + +3.3. Customer Visible Routing + + Once VPN tunnels are set up between pairs of VPN edge devices, it is + necessary to set up mechanisms which ensure that packets from the + customer network get sent through the proper tunnels. This routing + function must be performed by the VPN edge device. + +3.3.1. Customer View of Routing for Layer 3 PE-based VPNs + + There is a PE-CE routing interaction which enables a PE to obtain + those addresses, from the customer network, that are reachable via + the CE. The PE-CE routing interaction also enables a CE device to + obtain those addresses, from the customer network, which are + reachable via the PE; these will generally be addresses that are at + other sites in the customer network. + + The PE-CE routing interaction can make use of static routing, an IGP + (such as RIP, OSPF, IS-IS, etc.), or BGP. + + If the PE-CE interaction is done via an IGP, the PE will generally + maintain at least several independent IGP instances; one for the + backbone routing, and one for each VPN. Thus the PE participates in + the IGP of the customer VPNs, but the CE does not participate in the + backbone's IGP. + + If the PE-CE interaction is done via BGP, the PE MAY support one + instance of BGP for each VPN, as well as an additional instance of + BGP for the public Internet routes. Alternatively, the PE might + support a single instance of BGP, using, e.g., different BGP Address + Families to distinguish the public Internet routes from the VPN + routes. + + Routing information which a PE learns from a CE in a particular VPN + must be forwarded to the other PEs that are attached to the same VPN. + Those other PEs must then forward the information in turn to the + other CEs of that VPN. + + + + +Callon & Suzuki Informational [Page 26] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + The PE-PE routing distribution can be done as part of the same + routing instance to which the PE-CE interface belongs. + Alternatively, it can be done via a different routing instance, + possibly using a different routing algorithm. In this case, the PE + must redistribute VPN routes from one routing instance to another. + + Note that VPN routing information is never distributed to the P + routers. VPN routing information is known at the edge of the VPN + backbone, but not in the core. + + If the VPN's IGP is different than the routing algorithm running on + the CE-PE link, then the CE must support two routing instances, and + must redistribute the VPN's routes from one instance to the other + (e.g., [VPN-BGP-OSPF]). + + In the case of layer 3 PE-based VPNs a single PE device is likely to + provide service for several different VPNs. Since different VPNs may + have address spaces which are not mutually unique, a PE device must + have several forwarding tables, in general one for each VPN to which + it is attached. These will be referred to as VPN Forwarding + Instances (VFIs). Each VFI is a logical entity internal to the PE + device. VFIs are defined in section 2.1.1, and discussed in more + detail in section 4.4.2. + + The scaling and management of the customer network (as well as the + operation of the VPN) will depend upon the implementation approach + and the manner in which routing is done. + +3.3.1.1. Routing for Intranets + + In the intranet case all of the sites to be interconnected belong to + the same administration (for example, the same company). The options + for routing within a single customer network include: + + o A single IGP area (using OSPF, IS-IS, or RIP) + + o Multiple areas within a single IGP + + o A separate IGP within each site, with routes redistributed from + each site to backbone routing (i.e., to a backbone as seen by the + customer network). + + Note that these options look at routing from the perspective of the + overall routing in the customer network. This list does not specify + whether PE device is considered to be in a site or not. This issue + is discussed below. + + + + + +Callon & Suzuki Informational [Page 27] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + A single IGP area (such as a single OSPF area, a single IS-IS area, + or a single instance of RIP between routers) may be used. One could + have, all routers within the customer network (including the PEs, or + more precisely, including a VFI within each PE) appear within a + single area. Tunnels between the PEs could also appear as normal + links. + + In some cases the multi-level hierarchy of OSPF or IS-IS may be used. + One way to apply this to VPNs would be to have each site be a single + OSPF or IS-IS area. The VFIs will participate in routing within each + site as part of that area. The VFIs may then be interconnected as + the backbone (OSPF area 0 or IS-IS level 2). If OSPF is used, the + VFIs therefore appear to the customer network as area border routers. + If IS-IS is used, the VFIs therefore participate in level 1 routing + within the local area, and appear to the customer network as if they + are level 2 routers in the backbone. + + Where an IGP is used across the entire network, it is straightforward + for VPN tunnels, access connections, and backdoor links to be mixed + in a network. Given that OSPF or IS-IS metrics will be assigned to + all links, paths via alternate links can be compared and the shortest + cost path will be used regardless of whether it is via VPN tunnels, + access connections, or backdoor links. If multiple sites of a VPN do + not use a common IGP, or if the backbone does not use the same common + IGP as the sites, then special procedures may be needed to ensure + that routes to/from other sites are treated as intra-area routes, + rather than as external routes (depending upon the VPN approach + taken). + + Another option is to operate each site as a separate routing domain. + For example each site could operate as a single OSPF area, a single + IS-IS area, or a RIP domain. In this case the per-site routing + domains will need to redistribute routes into a backbone routing + domain (Note: in this context the "backbone routing domain" refers to + a backbone as viewed by the customer network). In this case it is + optional whether or not the VFIs participate in the routing within + each site. + +3.3.1.2. Routing for Extranets + + In the extranet case the sites to be interconnected belong to + multiple different administrations. In this case IGPs (such as OSPF, + IS-IS, or RIP) are normally not used across the interface between + organizations. Either static routes or BGP may be used between + sites. If the customer network administration wishes to maintain + control of routing between its site and other networks, then either + + + + + +Callon & Suzuki Informational [Page 28] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + static routing or BGP may be used across the customer interface. If + the customer wants to outsource all such control to the provider, + then an IGP or static routes may be used at this interface. + + The use of BGP between sites allows for policy based routing between + sites. This is particularly useful in the extranet case. Note that + private IP addresses or non-unique IP address (e.g., unregistered + addresses) should not be used for extranet communication. + +3.3.1.3. CE and PE Devices for Layer 3 PE-based VPNs + + When using a single IGP area across an intranet, the entire customer + network participates in a single area of an IGP. In this case, for + layer 3 PE-based VPNs both CE and PE devices participate as normal + routers within the area. + + The other options make a distinction between routing within a site, + and routing between sites. In this case, a CE device would normally + be considered as part of the site where it is located. However, + there is an option regarding how the PE devices should be considered. + + In some cases, from the perspective of routing within the customer + network, a PE device (or more precisely a VFI within a PE device) may + be considered to be internal to the same area or routing domain as + the site to which it is attached. This simplifies the management + responsibilities of the customer network administration, since + inter-area routing would be handled by the provider. + + For example, from the perspective of routing within the customer + network, the CE devices may be the area border or AS boundary routers + of the IGP area. In this case, static routing, BGP, or whatever + routing is used in the backbone, may be used across the customer + interface. + +3.3.2. Customer View of Routing for Layer 3 Provider-Provisioned + CE-based VPNs + + For layer 3 provider-provisioned CE-based VPNs, the PE devices are + not aware of the set of addresses which are reachable at particular + customer sites. The CE and PE devices do not exchange the customer's + routing information. + + Customer sites that belong to the same VPN may exchange routing + information through the CE-CE VPN tunnels that appear, to the + customers IGP, as router adjacencies. Alternatively, instead of + + + + + + +Callon & Suzuki Informational [Page 29] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + exchanging routing information through the VPN tunnels, the SP's + management system may take care of the configuration of the static + route information of one site towards the other sites in the VPN. + + Routing within the customer site may be done in any possible way, + using any kind of routing protocols (see section 3.3.3). + + As the CE device receives an IP or MPLS service from the SP, the CE + and PE devices may exchange routing information that is meaningful + within the SP routing realm. + + Moreover, as the forwarding of tunneled customer packets in the SP + network will be based on global IP forwarding, the routes to the + various CE devices must be known in the entire SP's network. + + This means that a CE device may need to participate in two different + routing processes: + + o routing in its own private network (VPN routing), within its own + site and with the other VPN sites through the VPN tunnels, possibly + using private addresses. + + o routing in the SP network (global routing), as such peering with + its PE. + + However, in many scenarios, the use of static/default routes at the + CE-PE interface might be all the global routing that is required. + +3.3.3. Options for Customer Visible Routing + + The following technologies are available for the exchange of routing + information. + + o Static routing + + Routing tables may be configured through a management system. + + o RIP (Routing Information Protocol) [RFC2453] + + RIP is an interior gateway protocol and is used within an + autonomous system. It sends out routing updates at regular + intervals and whenever the network topology changes. Routing + information is then propagated by the adjacent routers to their + neighbors and thus to the entire network. A route from a source to + a destination is the path with the least number of routers. This + number is called the "hop count" and its maximum value is 15. This + implies that RIP is suitable for a small- or medium-sized networks. + + + + +Callon & Suzuki Informational [Page 30] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + o OSPF (Open Shortest Path First) [RFC2328] + + OSPF is an interior gateway protocol and is applied to a single + autonomous system. Each router distributes the state of its + interfaces and neighboring routers as a link state advertisement, + and maintains a database describing the autonomous system's + topology. A link state is advertised every 30 minutes or when the + topology is reconfigured. + + Each router maintains an identical topological database, from which + it constructs a tree of shortest paths with itself as the root. + The algorithm is known as the Shortest Path First or SPF. The + router generates a routing table from the tree of shortest paths. + OSPF supports a variable length subnet mask, which enables + effective use of the IP address space. + + OSPF allows sets of networks to be grouped together into an area. + Each area has its own topological database. The topology of the + area is invisible from outside its area. The areas are + interconnected via a "backbone" network. The backbone network + distributes routing information between the areas. The area + routing scheme can reduce the routing traffic and compute the + shortest path trees and is indispensable for larger scale networks. + + Each multi-access network with multiple routers attached has a + designated router. The designated router generates a link state + advertisement for the multi-access network and synchronizes the + topological database with other adjacent routers in the area. The + concept of designated router can thus reduce the routing traffic + and compute shortest path trees. To achieve high availability, a + backup designated router is used. + + o IS-IS (intermediate system to intermediate system) [RFC1195] + + IS-IS is a routing protocol designed for the OSI (Open Systems + Interconnection) protocol suites. Integrated IS-IS is derived from + IS-IS in order to support the IP protocol. In the Internet + community, IS-IS means integrated IS-IS. In this, a link state is + advertised over a connectionless network service. IS-IS has the + same basic features as OSPF. They include: link state + advertisement and maintenance of a topological database within an + area, calculation of a tree of shortest paths, generation of a + routing table from a tree of shortest paths, the area routing + scheme, a designated router, and a variable length subnet mask. + + + + + + + +Callon & Suzuki Informational [Page 31] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + o BGP-4 (Border Gateway Protocol version 4) [RFC1771] + + BGP-4 is an exterior gateway protocol and is applied to the routing + of inter-autonomous systems. A BGP speaker establishes a session + with other BGP speakers and advertises routing information to them. + A session may be an External BGP (EBGP) that connects two BGP + speakers within different autonomous systems, or an internal BGP + (IBGP) that connects two BGP speakers within a single autonomous + system. Routing information is qualified with path attributes, + which differentiate routes for the purpose of selecting an + appropriate one from possible routes. Also, routes are grouped by + the community attribute [RFC1997] [BGP-COM]. + + The IBGP mesh size tends to increase dramatically with the number + of BGP speakers in an autonomous system. BGP can reduce the number + of IBGP sessions by dividing the autonomous system into smaller + autonomous systems and grouping them into a single confederation + [RFC3065]. Route reflection is another way to reduce the number of + IBGP sessions [RFC1966]. BGP divides the autonomous system into + clusters. Each cluster establishes the IBGP full mesh within + itself, and designates one or more BGP speakers as "route + reflectors," which communicate with other clusters via their route + reflectors. Route reflectors in each cluster maintain path and + attribute information across the autonomous system. The autonomous + system still functions like a fully meshed autonomous system. On + the other hand, confederations provide finer control of routing + within the autonomous system by allowing for policy changes across + confederation boundaries, while route reflection requires the use + of identical policies. + + BGP-4 has been extended to support IPv6, IPX, and others as well as + IPv4 [RFC2858]. Multiprotocol BGP-4 carries routes from multiple + "address families". + +4. Network Interface and SP Support of VPNs + +4.1. Functional Components of a VPN + + The basic functional components of an implementation of a VPN are: + + o A mechanism to acquire VPN membership/capability information + + o A mechanism to tunnel traffic between VPN sites + + o For layer 3 PE-based VPNs, a means to learn customer routes, + distribute them between the PEs, and to advertise reachable + destinations to customer sites. + + + + +Callon & Suzuki Informational [Page 32] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + Based on the actual implementation, these functions could be + implemented on a per-VPN basis or could be accomplished via a common + mechanism shared by all VPNs. For instance, a single process could + handle the routing information for all the VPNs or a separate process + may be created for each VPN. + + Logically, the establishment of a VPN can be thought of as composed + of the following three stages. In the first stage, the VPN edge + devices learn of each other. In the second stage, they establish + tunnels to each other. In the third stage, they exchange routing + information with each other. However, not all VPN solutions need be + decomposed into these three stages. For example, in some VPN + solutions, tunnels are not established after learning membership + information; rather, pre-existing tunnels are selected and used. + Also, in some VPN solutions, the membership information and the + routing information are combined. + + In the membership/capability discovery stage, membership and + capability information needs to be acquired to determine whether two + particular VPN edge devices support any VPNs in common. This can be + accomplished, for instance, by exchanging VPN identifiers of the + configured VPNs at each VPN edge device. The capabilities of the VPN + edge devices need to be determined, in order to be able to agree on a + common mechanism for tunneling and/or routing. For instance, if site + A supports both IPsec and MPLS as tunneling mechanisms and site B + supports only MPLS, they can both agree to use MPLS for tunneling. + In some cases the capability information may be determined + implicitly, for example some SPs may implement a single VPN solution. + Likewise, the routing information for VPNs can be distributed using + the methods discussed in section 4.4. + + In the tunnel establishment stage, mechanisms may need to be invoked + to actually set up the tunnels. With IPsec, for instance, this could + involve the use of IKE to exchange keys and policies for securing the + data traffic. However, if IP tunneling, e.g., is used, there may not + be any need to explicitly set up tunnels; if MPLS tunnels are used, + they may be pre-established as part of normal MPLS functioning. + + In the VPN routing stage, routing information for the VPN sites must + be exchanged before data transfer between the sites can take place. + Based on the VPN model, this could involve the use of static routes, + IGPs such as OSPF/ISIS/RIP, or an EGP such as BGP. + + VPN membership and capability information can be distributed from a + central management system, using protocols such as, e.g., LDAP. + Alternatively, it can be distributed manually. However, as manual + configuration does not scale and is error prone, its use is + discouraged. As a third alternative, VPN information can be + + + +Callon & Suzuki Informational [Page 33] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + distributed via protocols that ensure automatic and consistent + distribution of information in a timely manner, much as routing + protocols do for routing information. This may suggest that the + information be carried in routing protocols themselves, though only + if this can be done without negatively impacting the essential + routing functions. + + It can be seen that quite a lot of information needs to be exchanged + in order to establish and maintain a VPN. The scaling and stability + consequences need to be analyzed for any VPN approach. + + While every VPN solution must address the functionality of all three + components, the combinations of mechanisms used to provide the needed + functionality, and the order in which different pieces of + functionality are carried out, may differ. + + For layer 3 provider-provisioned CE-based VPNs, the VPN service is + offering tunnels between CE devices. IP routing for the VPN is done + by the customer network. With these solutions, the SP is involved in + the operation of the membership/capability discovery stage and the + tunnel establishment stage. The IP routing functional component may + be entirely up to the customer network, or alternatively, the SP's + management system may be responsible for the distribution of the + reachability information of the VPN sites to the other sites of the + same VPN. + +4.2. VPN Establishment and Maintenance + + For a layer 3 provider-provisioned VPN the SP is responsible for the + establishment and maintenance of the VPNs. Many different approaches + and schemes are possible in order to provide layer 3 PPVPNs, however + there are some generic problems that any VPN solution must address, + including: + + o For PE-based VPNs, when a new site is added to a PE, how do the + other PEs find out about it? When a PE first gets attached to a + given VPN, how does it determine which other PEs are attached to + the same VPN. For CE-based VPNs, when a new site is added, how + does its CE find out about all the other CEs at other sites of the + same VPN? + + o In order for layer 3 PE-based VPNs to scale, all routes for all + VPNs cannot reside on all PEs. How is the distribution of VPN + routing information constrained so that it is distributed to only + those devices that need it? + + + + + + +Callon & Suzuki Informational [Page 34] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + o An administrator may wish to provision different topologies for + different VPNs (e.g., a full mesh or a hub & spoke topology). How + is this achieved? + + This section looks at some of these generic problems and at some of + the mechanisms that can be used to solve them. + +4.2.1. VPN Discovery + + Mechanisms are needed to acquire information that allows the + establishment and maintenance of VPNs. This may include, for + example, information on VPN membership, topology, and VPN device + capabilities. This information may be statically configured, or + distributed by an automated protocol. As a result of the operation + of these mechanisms and protocols, a device is able to determine + where to set up tunnels, and where to advertise the VPN routes for + each VPN. + + With a physical network, the equivalent problem can by solved by the + control of the physical interconnection of links, and by having a + router run a discovery/hello protocol over its locally connected + links. With VPNs both the routers and the links (tunnels) may be + logical entities, and thus some other mechanisms are needed. + + A number of different approaches are possible for VPN discovery. One + scheme uses the network management system to configure and provision + the VPN edge devices. This approach can also be used to distribute + VPN discovery information, either using proprietary protocols or + using standard management protocols and MIBs. Another approach is + where the VPN edge devices act as clients of a centralized directory + or database server that contains VPN discovery information. Another + possibility is where VPN discovery information is piggybacked onto a + routing protocol running between the VPN edge devices [VPN-DISC]. + +4.2.1.1. Network Management for Membership Information + + SPs use network management extensively to configure and monitor the + various devices that are spread throughout their networks. This + approach could be also used for distributing VPN related information. + A network management system (either centralized or distributed) could + be used by the SP to configure and provision VPNs on the VPN edge + devices at various locations. VPN configuration information could be + entered into a network management application and distributed to the + remote sites via the same means used to distribute other network + management information. This approach is most natural when all the + devices that must be provisioned are within a single SP's network, + + + + + +Callon & Suzuki Informational [Page 35] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + since the SP has access to all VPN edge devices in its domain. + Security and access control are important, and could be achieved for + example using SNMPv3, SSH, or IPsec tunnels. + +4.2.1.2. Directory Servers + + An SP typically needs to maintain a database of VPN + configuration/membership information, regardless of the mechanisms + used to distribute it. LDAPv3 [RFC3377] is a standard directory + protocol which makes it possible to use a common mechanism for both + storing such information and distributing it. + + To facilitate interoperability between different implementations, as + well as between the management systems of different SPs, a standard + schema for representing VPN membership and configuration information + would have to be developed. + + LDAPv3 supports authentication of messages and associated access + control, which can be used to limit access to VPN information to + authorized entities. + +4.2.1.3. Augmented Routing for Membership Information + + Extensions to the use of existing BGP mechanisms, for distribution of + VPN membership information, are proposed in [VPN-2547BIS]. In that + scheme, BGP is used to distribute VPN routes, and each route carries + a set of attributes which indicate the VPN (or VPNs) to which the + route belongs. This allows the VPN discovery information and routing + information to be combined in a single protocol. Information needed + to establish per-VPN tunnels can also be carried as attributes of the + routes. This makes use of the BGP protocol's ability to effectively + carry large amounts of routing information. + + It is also possible to use BGP to distribute just the + membership/capability information, while using a different technique + to distribute the routing. BGP's update message would be used to + indicate that a PE is attached to a particular VPN; BGP's withdraw + message would be used to indicate that a PE has ceased to be attached + to a particular VPN. This makes use of the BGP protocol's ability to + dynamically distribute real-time changes in a reliable and fairly + rapid manner. In addition, if a BGP route reflector is used, PEs + never have to be provisioned with each other's IP addresses at all. + Both cases make use of BGP's mechanisms, such as route filters, for + constraining the distribution of information. + + Augmented routing may be done in combination with aggregated routing, + as discussed in section 4.4.4. Of course, when using BGP for + distributing any kind of VPN-specific information, one must ensure + + + +Callon & Suzuki Informational [Page 36] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + that one is not disrupting the classical use of BGP for distributing + public Internet routing information. For further discussion of this, + see the discussion of aggregated routing, section 4.4.4. + +4.2.1.4. VPN Discovery for Inter-SP VPNs + + When two sites of a VPN are connected to different SP networks, the + SPs must support a common mechanism for exchanging + membership/capability information. This might make use of manual + configuration or automated exchange of information between the SPs. + Automated exchange may be facilitated if one or more mechanisms for + VPN discovery are standardized and supported across the multiple SPs. + Inter-SP trust relationships will need to be established, for example + to determine which information and how much information about the + VPNs may be exchanged between SPs. + + In some cases different service providers may deploy different + approaches for VPN discovery. Where this occurs, this implies that + for multi-SP VPNs, some manual coordination and configuration may be + necessary. + + The amount of information which needs to be shared between SPs may + vary greatly depending upon the number of size of the multi-SP VPNs. + The SPs will therefore need to determine and agree upon the expected + amount of membership information to be exchanged, and the dynamic + nature of this information. Mechanisms may also be needed to + authenticate the VPN membership information. + + VPN information should be distributed only to places where it needs + to go, whether that is intra-provider or inter-provider. In this + way, the distribution of VPN information is unlike the distribution + of inter-provider routing information, as the latter needs to be + distributed throughout the Internet. In addition, the joint support + of a VPN by two SPs should not require any third SP to maintain state + for that VPN. Again, notice the difference with respect to + inter-provider routing; in inter-provider routing: sending traffic + from one SP to another may indeed require routing state in a third + SP. + + As one possible example: Suppose that there are two SPs A and C, + which want to support a common VPN. Suppose that A and C are + interconnected via SP B. In this case B will need to know how to + route traffic between A and C, and therefore will need to know + something about A and C (such as enough routing information to + forward IP traffic and/or connect MPLS LSPs between PEs or route + reflectors in A and C). However, for scaling purposes it is + desirable that B not need to know VPN-specific information about the + VPNs which are supported by A and C. + + + +Callon & Suzuki Informational [Page 37] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +4.2.2. Constraining Distribution of VPN Routing Information + + In layer 3 provider-provisioned CE-based VPNs, the VPN tunnels + connect CE devices. In this case, distribution of IP routing + information occurs between CE devices on the customer sites. No + additional constraints on the distribution of VPN routing information + are necessary. + + In layer 3 PE-based VPNs, however, the PE devices must be aware of + VPN routing information (for the VPNs to which they are attached). + For scalability reasons, one does not want a scheme in which all PEs + contain all routes for all VPNs. Rather, only the PEs that are + attached to sites in a given VPN should contain the routing + information for that VPN. This means that the distribution of VPN + routing information between PE devices must be constrained. + + As VPN membership may change dynamically, it is necessary to have a + mechanism that allows VPN route information to be distributed to any + PE where there is an attached user for that VPN, and allows for the + removal of this information when it is no longer needed. + + In the Virtual Router scheme, per-VPN tunnels must be established + before any routes for a VPN are distributed, and the routes are then + distributed through those tunnels. Thus by establishing the proper + set of tunnels, one implicitly constrains and controls the + distribution of per-VPN routing information. In this scheme, the + distribution of membership information consists of the set of VPNs + that exists on each PE, as well as information about the desired + topology. This enables a PE to determine the set of remote PEs to + which it must establish tunnels for a particular VPN. + + In the aggregated routing scheme (see section 4.4.4), the + distribution of VPN routing information is constrained by means of + route filtering. As VPN membership changes on a PE, the route + filters in use between the PE and its peers can be adjusted. Each + peer may then adjust the filters in use with each of its peers in + turn, and thus the changes propagate across the network. When BGP is + used, this filtering may take place at route reflectors as discussed + in section 4.4.4. + +4.2.3. Controlling VPN Topology + + The topology for a VPN consists of a set of nodes interconnected via + tunnels. The topology may be a full mesh, a hub and spoke topology, + or an arbitrary topology. For a VPN the set of nodes will include + all VPN edge devices that have attached sites for that VPN. + Naturally, whatever the topology, all VPN sites are reachable from + each other; the topology simply constrains the way traffic is routed + + + +Callon & Suzuki Informational [Page 38] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + among the sites. For example, in one topology traffic between site A + and site B goes from one to the other directly over the VPN backbone; + in another topology, traffic from site A to site B must traverse site + C before reaching site B. + + The simplest topology is a full mesh, where a tunnel exists between + every pair of VPN edge devices. If we assume the use of point-to- + point tunnels (rather than multipoint-to-point), then with a full + mesh topology there are N*(N-1)/2 duplex tunnels or N*(N-1) simplex + tunnels for N VPN edge devices. Each tunnel consumes some resources + at a VPN edge device, and depending on the type of tunnel, may or may + not consume resources in intermediate routers or LSRs. One reason + for using a partial mesh topology is to reduce the number of tunnels + a VPN edge device, and/or the network, needs to support. Another + reason is to support the scenario where an administrator requires all + traffic from certain sites to traverse some particular site for + policy or control reasons, such as to force traffic through a + firewall, or for monitoring or accounting purposes. Note that the + topologies used for each VPN are separate, and thus the same VPN edge + device may be part of a full mesh topology for one VPN, and of a + partial mesh topology for another VPN. + + An example of where a partial mesh topology could be suitable is for + a VPN that supports a large number of telecommuters and a small + number of corporate sites. Most traffic will be between + telecommuters and the corporate sites, not between pairs of + telecommuters. A hub and spoke topology for the VPN would thus map + onto the underlying traffic flow, with the telecommuters attached to + spoke VPN edge devices and the corporate sites attached to hub VPN + edge devices. Traffic between telecommuters is still supported, but + this traffic traverses a hub VPN edge device. + + The selection of a topology for a VPN is an administrative choice, + but it is useful to examine protocol mechanisms that can be used to + automate the construction of the desired topology, and thus reduce + the amount of configuration needed. To this end it is useful for a + VPN edge device to be able to advertise per-VPN topology information + to other VPN edge devices. It may be simplest to advertise this at + the same time as the membership information is advertised, using the + same mechanisms. + + A simple scheme is where a VPN edge device advertises itself either + as a hub or as a spoke, for each VPN that it has. When received by + other VPN edge devices this information can be used when determining + whether to establish a tunnel. A more comprehensive scheme allows a + VPN edge device to advertise a set of topology groups, with tunnels + established between a pair of VPN edge devices if they have a group + in common. + + + +Callon & Suzuki Informational [Page 39] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +4.3. VPN Tunneling + + VPN solutions use tunneling in order to transport VPN packets across + the VPN backbone, from one VPN edge device to another. There are + different types of tunneling protocols, different ways of + establishing and maintaining tunnels, and different ways to associate + tunnels with VPNs (e.g., shared versus dedicated per-VPN tunnels). + Sections 4.3.1 through 4.3.5 discusses some common characteristics + shared by all forms of tunneling, and some common problems to which + tunnels provide a solution. Section 4.3.6 provides a survey of + available tunneling techniques. Note that tunneling protocol issues + are generally independent of the mechanisms used for VPN membership + and VPN routing. + + One motivation for the use of tunneling is that the packet addressing + used in a VPN may have no relation to the packet addressing used + between the VPN edge devices. For example the customer VPN traffic + could use non-unique or private IP addressing [RFC1918]. Also an + IPv6 VPN could be implemented across an IPv4 provider backbone. As + such the packet forwarding between the VPN edge devices must use + information other than that contained in the VPN packets themselves. + A tunneling protocol adds additional information, such an extra + header or label, to a VPN packet, and this additional information is + then used for forwarding the packet between the VPN edge devices. + + Another capability optionally provided by tunneling is that of + isolation between different VPN traffic flows. The QoS and security + requirements for these traffic flows may differ, and can be met by + using different tunnels with the appropriate characteristics. This + allows a provider to offer different service characteristics for + traffic in different VPNs, or to subsets of traffic flows within a + single VPN. + + The specific tunneling protocols considered in this section are GRE, + IP-in-IP, IPsec, and MPLS, as these are the most suitable for + carrying VPN traffic across the VPN backbone. Other tunneling + protocols, such as L2TP [RFC2661], may be used as access tunnels, + carrying traffic between a PE and a CE. As backbone tunneling is + independent of and orthogonal to access tunneling, protocols for the + latter are not discussed here. + +4.3.1. Tunnel Encapsulations + + All tunneling protocols use an encapsulation that adds additional + information to the encapsulated packet; this information is used for + forwarding across the VPN backbone. Examples are provided in section + 4.3.6. + + + + +Callon & Suzuki Informational [Page 40] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + One characteristic of a tunneling protocol is whether per-tunnel + state is needed in the SP network in order to forward the + encapsulated packets. For IP tunneling schemes (GRE, IP-in-IP, and + IPsec) per-tunnel state is completely confined to the VPN edge + devices. Other routers are unaware of the tunnels, and forward + according to the IP header. For MPLS, per-tunnel state is needed, + since the top label in the label stack must be examined and swapped + by intermediate LSRs. The amount of state required can be minimized + by hierarchical multiplexing, and by use of multi-point to point + tunnels, as discussed below. + + Another characteristic is the tunneling overhead introduced. With + IPsec the overhead may be considerable as it may include, for + example, an ESP header, ESP trailer and an additional IP header. The + other mechanisms listed use less overhead, with MPLS being the most + lightweight. The overhead inherent in any tunneling mechanism may + result in additional IP packet fragmentation, if the resulting packet + is too large to be carried by the underlying link layer. As such it + is important to report any reduced MTU sizes via mechanisms such as + path MTU discovery in order to avoid fragmentation wherever possible. + + Yet another characteristic is something we might call "transparency + to the Internet". IP-based encapsulation can carry be used to carry + a packet anywhere in the Internet. MPLS encapsulation can only be + used to carry a packet on IP networks that support MPLS. If an + MPLS-encapsulated packet must cross the networks of multiple SPs, the + adjacent SPs must bilateral agreements to accept MPLS packets from + each other. If only a portion of the path across the backbone lacks + MPLS support, then an MPLS-in-IP encapsulation can be used to move + the MPLS packets across that part of the backbone. However, this + does add complexity. On the other hand, MPLS has efficiency + advantages, particularly in environments where encapsulations may + need to be nested. + + Transparency to the Internet is sometimes a requirement, but + sometimes not. This depends on the sort of service which a SP is + offering to its customer. + +4.3.2. Tunnel Multiplexing + + When a tunneled packet arrives at the tunnel egress, it must be + possible to infer the packet's VPN from its encapsulation header. In + MPLS encapsulations, this must be inferred from the packet's label + stack. In IP-based encapsulations, this can be inferred from some + combination of the IP source address, the IP destination address, and + a "multiplexing field" in the encapsulation header. The multiplexing + + + + + +Callon & Suzuki Informational [Page 41] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + field might be one which was explicitly designed for multiplexing, or + one that wasn't originally designed for this but can be pushed into + service as a multiplexing field. For example: + + o GRE: Packets associated to VPN by source IP address, destination IP + address, and Key field, although the key field was originally + intended for authentication. + + o IP-in-IP: Packets associated to VPN by IP destination address in + outer header. + + o IPsec: Packets associated to VPN by IP source address, IP + destination address, and SPI field. + + o MPLS: Packets associated to VPN by label stack. + + Note that IP-in-IP tunneling does not have a real multiplexing field, + so a different IP destination address must be used for every VPN + supported by a given PE. In the other IP-based encapsulations, a + given PE need have only a single IP address, and the multiplexing + field is used to distinguish the different VPNs supported by a PE. + Thus the IP-in-IP solution has the significant disadvantage that it + requires the allocation and assignment of a potentially large number + of IP addresses, all of which have to be reachable via backbone + routing. + + In the following, we will use the term "multiplexing field" to refer + to whichever field in the encapsulation header must is used to + distinguish different VPNs at a given PE. In the IP-in-IP + encapsulation, this is the destination IP address field, in the other + encapsulations it is a true multiplexing field. + +4.3.3. Tunnel Establishment + + When tunnels are established, the tunnel endpoints must agree on the + multiplexing field values which are to be used to indicate that + particular packets are in particular VPNs. The use of "well known" + or explicitly provisioned values would not scale well as the number + of VPNs increases. So it is necessary to have some sort of protocol + interaction in which the tunnel endpoints agree on the multiplexing + field values. + + For some tunneling protocols, setting up a tunnel requires an + explicit exchange of signaling messages. Generally the multiplexing + field values would be agreed upon as part of this exchange. For + example, if an IPsec encapsulation is used, the SPI field plays the + role of the multiplexing field, and IKE signaling is used to + distribute the SPI values; if an MPLS encapsulation is used, LDP, + + + +Callon & Suzuki Informational [Page 42] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + CR-LDP or RSVP-TE can be used to distribute the MPLS label value used + as the multiplexing field. Information about the identity of the VPN + with which the tunnel is to be associated needs to be exchanged as + part of the signaling protocol (e.g., a VPN-ID can be carried in the + signaling protocol). An advantage of this approach is that + per-tunnel security, QoS and other characteristics may also be + negotiable via the signaling protocol. A disadvantage is that the + signaling imposes overhead, which may then lead to scalability + considerations, discussed further below. + + For some tunneling protocols, there is no explicit protocol + interaction that sets up the tunnel, and the multiplexing field + values must be exchanged in some other way. For example, for MPLS + tunnels, MPLS labels can be piggybacked on the protocols used to + distribute VPN routes or VPN membership information. GRE and + IP-in-IP have no associated signaling protocol, and thus by necessity + the multiplexing values are distributed via some other mechanism, + such as via configuration, control protocol, or piggybacked in some + manner on a VPN membership protocol. + + The resources used by the different tunneling establishment + mechanisms may vary. With a full mesh VPN topology, and explicit + signaling, each VPN edge device has to establish a tunnel to all the + other VPN edge devices for in each VPN. The resources needed for + this on a VPN edge device may be significant, and issues such as the + time needed to recover following a device failure may need to be + taken into account, as the time to recovery includes the time needed + to reestablish a large number of tunnels. + +4.3.4. Scaling and Hierarchical Tunnels + + If tunnels require state to be maintained in the core of the network, + it may not be feasible to set up per-VPN tunnels between all adjacent + devices that are adjacent in some VPN topology. This would violate + the principle that there is no per-VPN state in the core of the + network, and would make the core scale poorly as the number of VPNs + increases. For example, MPLS tunnels require that core network + devices maintain state for the topmost label in the label stack. If + every core router had to maintain one or more labels for every VPN, + scaling would be very poor. + + There are also scaling considerations related to the use of explicit + signaling for tunnel establishment. Even if the tunneling protocol + does not maintain per tunnel state in the core, the number of tunnels + that a single VPN edge device needs to handle may be large, as this + grows according to the number of VPNs and the number of neighbors per + VPN. One way to reduce the number of tunnels in a network is to use + + + + +Callon & Suzuki Informational [Page 43] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + a VPN topology other than a full mesh. However this may not always + be desirable, and even with hub and spoke topologies the hubs VPN + edge devices may still need to handle large numbers of tunnels. + + If the core routers need to maintain any per-tunnel state at all, + scaling can be greatly improved by using hierarchical tunnels. One + tunnel can be established between each pair of VPN edge devices, and + multiple VPN-specific tunnels can then be carried through the single + "outer" tunnel. Now the amount of state is dependent only on the + number of VPN edge devices, not on the number of VPNs. Scaling can + be further improved by having the outer tunnels be + multipoint-to-point "merging" tunnels. Now the amount of state to be + maintained in the core is on the order of the number of VPN edge + devices, not on the order of the square of that number. That is, the + amount of tunnel state is roughly equivalent to the amount of state + needed to maintain IP routes to the VPN edge devices. This is almost + (if not quite) as good as using tunnels which do not require any + state to be maintained in the core. + + Using hierarchical tunnels may also reduce the amount of state to be + maintained in the VPN edge devices, particularly if maintaining the + outer tunnels requires more state than maintaining the per-VPN + tunnels that run inside the outer tunnels. + + There are other factors relevant to determining the number of VPN + edge to VPN edge "outer" tunnels to use. While using a single such + tunnel has the best scaling properties, using more than one may allow + different QoS capabilities or different security characteristics to + be used for different traffic flows (from the same or from different + VPNs). + + When tunnels are used hierarchically, the tunnels in the hierarchy + may all be of the same type (e.g., an MPLS label stack) or they may + be of different types (e.g., a GRE tunnel carried inside an IPsec + tunnel). + + One example using hierarchical tunnels is the establishment of a + number of different IPsec security associations, providing different + levels of security between a given pair of VPN edge devices. Per-VPN + GRE tunnels can then be grouped together and then carried over the + appropriate IPsec tunnel, rather than having a separate IPsec tunnel + per-VPN. Another example is the use of an MPLS label stack. A + single PE-PE LSP is used to carry all the per-VPN LSPs. The + mechanisms used for label establishment are typically different. The + PE-PE LSP could be established using LDP, as part or normal backbone + operation, with the per-VPN LSP labels established by piggybacking on + VPN routing (e.g., using BGP) discussed in sections 3.3.1.3 and 4.1. + + + + +Callon & Suzuki Informational [Page 44] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +4.3.5. Tunnel Maintenance + + Once a tunnel is established it is necessary to know that the tunnel + is operational. Mechanisms are needed to detect tunnel failures, and + to respond appropriately to restore service. + + There is a potential issue regarding propagation of failures when + multiple tunnels are multiplexed hierarchically. Suppose that + multiple VPN-specific tunnels are multiplexed inside a single PE to + PE tunnel. In this case, suppose that routing for the VPN is done + over the VPN-specific tunnels (as may be the case for CE-based and VR + approaches). Suppose that the PE to PE tunnel fails. In this case + multiple VPN-specific tunnels may fail, and layer 3 routing may + simultaneously respond for each VPN using the failed tunnel. If the + PE to PE tunnel is subsequently restored, there may then be multiple + VPN-specific tunnels and multiple routing protocol instances which + also need to recover. Each of these could potentially require some + exchange of control traffic. + + When a tunnel fails, if the tunnel can be restored quickly, it might + therefore be preferable to restore the tunnel without any response by + high levels (such as other tunnels which were multiplexed inside the + failed tunnels). By having high levels delay response to a lower + level failed tunnel, this may limit the amount of control traffic + needed to completely restore correct service. However, if the failed + tunnel cannot be quickly restored, then it is necessary for the + tunnels or routing instances multiplexed over the failed tunnel to + respond, and preferable for them to respond quickly and without + explicit action by network operators. + + With most layer 3 provider-provisioned CE-based VPNs and the VR + scheme, a per-VPN instance of routing is running over the tunnel, + thus any loss of connectivity between the tunnel endpoints will be + detected by the VPN routing instance. This allows rapid detection of + tunnel failure. Careful adjustment of timers might be needed to + avoid failure propagation as discussed the above. With the + aggregated routing scheme, there isn't a per-VPN instance of routing + running over the tunnel, and therefore some other scheme to detect + loss of connectivity is needed in the event that the tunnel cannot be + rapidly restored. + + Failure of connectivity in a tunnel can be very difficult to detect + reliably. Among the mechanisms that can be used to detect failure + are loss of the underlying connectivity to the remote endpoint (as + indicated, e.g., by "no IP route to host" or no MPLS label), timeout + of higher layer "hello" mechanisms (e.g., IGP hellos, when the tunnel + is an adjacency in some IGP), and timeout of keep alive mechanisms in + + + + +Callon & Suzuki Informational [Page 45] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + the tunnel establishment protocols (if any). However, none of these + techniques provides completely reliable detection of all failure + modes. Additional monitoring techniques may also be necessary. + + With hierarchical tunnels it may suffice to only monitor the + outermost tunnel for loss of connectivity. However there may be + failure modes in a device where the outermost tunnel is up but one of + the inner tunnels is down. + +4.3.6. Survey of Tunneling Techniques + + Tunneling mechanisms provide isolated communication between two CE-PE + devices. Available tunneling mechanisms include (but are not limited + to): GRE [RFC2784] [RFC2890], IP-in-IP encapsulation [RFC2003] + [RFC2473], IPsec [RFC2401] [RFC2402], and MPLS [RFC3031] [RFC3035]. + + Note that the following subsections address tunnel overhead to + clarify the risk of fragmentation. Some SP networks contain layer 2 + switches that enforce the standard/default MTU of 1500 bytes. In + this case, any encapsulation whatsoever creates a significant risk of + fragmentation. However, layer 2 switch vendors are in general aware + of IP tunneling as well as stacked VLAN overhead, thus many switches + practically allow an MTU of approximately 1512 bytes now. In this + case, up to 12 bytes of encapsulation can be used before there is any + risk of fragmentation. Furthermore, to improve TCP and NFS + performance, switches that support 9K bytes "jumbo frames" are also + on the market. In this case, there is no risk of fragmentation. + +4.3.6.1. GRE [RFC2784] [RFC2890] + + Generic Routing Encapsulation (GRE) specifies a protocol for + encapsulating an arbitrary payload protocol over an arbitrary + delivery protocol [RFC2784]. In particular, it can be used where + both the payload and the delivery protocol are IP as is the case in + layer 3 VPNs. A GRE tunnel is a tunnel whose packets are + encapsulated by GRE. + + o Multiplexing + + The GRE specification [RFC2784] does not explicitly support + multiplexing. But the key field extension to GRE is specified in + [RFC2890] and it may be used as a multiplexing field. + + + + + + + + + +Callon & Suzuki Informational [Page 46] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + o QoS/SLA + + GRE itself does not have intrinsic QoS/SLA capabilities, but it + inherits whatever capabilities exist in the delivery protocol (IP). + Additional mechanisms, such as Diffserv or RSVP extensions + [RFC2746], can be applied. + + o Tunnel setup and maintenance + + There is no standard signaling protocol for setting up and + maintaining GRE tunnels. + + o Large MTUs and minimization of tunnel overhead + + When GRE encapsulation is used, the resulting packet consists of a + delivery protocol header, followed by a GRE header, followed by the + payload packet. When the delivery protocol is IPv4, and if the key + field is not present, GRE encapsulation adds at least 28 bytes of + overhead (36 bytes if key field extension is used.) + + o Security + + GRE encapsulation does not provide any significant security. The + optional key field can be used as a clear text password to aid in + the detection of misconfigurations, but it does not provide + integrity or authentication. An SP network which supports VPNs + must do extensive IP address filtering at its borders to prevent + spoofed packets from penetrating the VPNs. If multi-provider VPNs + are being supported, it may be difficult to set up these filters. + +4.3.6.2. IP-in-IP Encapsulation [RFC2003] [RFC2473] + + IP-in-IP specifies the format and procedures for IP-in-IP + encapsulation. This allows an IP datagram to be encapsulated within + another IP datagram. That is, the resulting packet consists of an + outer IP header, followed immediately by the payload packet. There + is no intermediate header as in GRE. [RFC2003] and [RFC2473] specify + IPv4 and IPv6 encapsulations respectively. Once the encapsulated + datagram arrives at the intermediate destination (as specified in the + outer IP header), it is decapsulated, yielding the original IP + datagram, which is then delivered to the destination indicated by the + original destination address field. + + + + + + + + + +Callon & Suzuki Informational [Page 47] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + o Multiplexing + + The IP-in-IP specifications don't explicitly support multiplexing. + But if a different IP address is used for every VPN then the IP + address field can be used for this purpose. (See section 4.3.2 for + detail). + + o QoS/SLA + + IP-in-IP itself does not have intrinsic QoS/SLA capabilities, but + of course it inherits whatever capabilities exist for IP. + Additional mechanisms, such as RSVP extensions [RFC2764] or + DiffServ extensions [RFC2983], may be used with it. + + o Tunnel setup and maintenance + + There is no standard setup and maintenance protocol for IP-in-IP. + + o Large MTUs and minimization of tunnel overhead + + When the delivery protocol is IPv4, IP-in-IP adds at least 20 bytes + of overhead. + + o Security + + IP-in-IP encapsulation does not provide any significant security. + An SP network which supports VPNs must do extensive IP address + filtering at its borders to prevent spoofed packets from + penetrating the VPNs. If multi-provider VPNs are being supported, + it may be difficult to set up these filters. + +4.3.6.3. IPsec [RFC2401] [RFC2402] [RFC2406] [RFC2409] + + IP Security (IPsec) provides security services at the IP layer + [RFC2401]. It comprises authentication header (AH) protocol + [RFC2402], encapsulating security payload (ESP) protocol [RFC2406], + and Internet key exchange (IKE) protocol [RFC2409]. AH protocol + provides data integrity, data origin authentication, and an + anti-replay service. ESP protocol provides data confidentiality and + limited traffic flow confidentiality. It may also provide data + integrity, data origin authentication, and an anti-replay service. + AH and ESP may be used in combination. + + IPsec may be employed in either transport or tunnel mode. In + transport mode, either an AH or ESP header is inserted immediately + after the payload packet's IP header. In tunnel mode, an IP packet + is encapsulated with an outer IP packet header. Either an AH or ESP + header is inserted between them. AH and ESP establish a + + + +Callon & Suzuki Informational [Page 48] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + unidirectional secure communication path between two endpoints, which + is called a security association. In tunnel mode, PE-PE tunnel (or a + CE-CE tunnel) consists of a pair of unidirectional security + associations. The IPsec and IKE protocols are used for setting up + IPsec tunnels. + + o Multiplexing + + The SPI field of AH and ESP is used to multiplex security + associations (or tunnels) between two peer devices. + + o QoS/SLA + + IPsec itself does not have intrinsic QoS/SLA capabilities, but it + inherits whatever mechanisms exist for IP. Other mechanisms such + as "RSVP Extensions for IPsec Data Flows" [RFC2207] or DiffServ + extensions [RFC2983] may be used with it. + + o Tunnel setup and maintenance + + The IPsec and IKE protocols are used for the setup and maintenance + of tunnels. + + o Large MTUs and minimization of tunnel overhead + + IPsec transport mode adds at least 8 bytes of overhead. IPsec + tunnel mode adds at least 28 bytes of overhead. IPsec transport + mode adds minimal overhead. In PE-based PPVPNs, the processing + overhead of IPsec (due to its cryptography) may limit the PE's + performance, especially if privacy is being provided; this is not + generally an issue in CE-based PPVPNs. + + o Security + + When IPsec tunneling is used in conjunction with IPsec's + cryptographic capabilities, excellent authentication and integrity + functions can be provided. Privacy can also be optionally + provided. + +4.3.6.4. MPLS [RFC3031] [RFC3032] [RFC3035] + + Multiprotocol Label Switching (MPLS) is a method for forwarding + packets through a network. Routers at the edge of a network apply + simple labels to packets. A label may be inserted between the data + link and network headers, or may be carried in the data link header + (e.g., the VPI/VCI field in an ATM header). Routers in the network + + + + + +Callon & Suzuki Informational [Page 49] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + switch packets according to the labels, with minimal lookup overhead. + A path, or a tunnel in the PPVPN, is called a "label switched path + (LSP)". + + o Multiplexing + + LSPs may be multiplexed within other LSPs. + + o QoS/SLA + + MPLS does not have intrinsic QoS or SLA management mechanisms, but + bandwidth may be allocated to LSPs, and their routing may be + explicitly controlled. Additional techniques such as DiffServ and + DiffServ aware traffic engineering may be used with it [RFC3270] + [MPLS-DIFF-TE]. QoS capabilities from IP may be inherited. + + o Tunnel setup and maintenance + + LSPs are set up and maintained by LDP (Label Distribution + Protocol), RSVP (Resource Reservation Protocol) [RFC3209], or BGP. + + o Large MTUs and minimization of tunnel overhead. + + MPLS encapsulation adds four bytes per label. VPN-2547BIS's + [VPN-2547BIS] approach uses at least two labels for encapsulation + and adds minimal overhead. + + o Encapsulation + + MPLS packets may optionally be encapsulated in IP or GRE, for cases + where it is desirable to carry MPLS packets over an IP-only + infrastructure. + + o Security + + MPLS encapsulation does not provide any significant security. An + SP which is providing VPN service can refuse to accept MPLS packets + from outside its borders. This provides the same level of + assurance as would be obtained via IP address filtering when + IP-based encapsulations are used. If a VPN is jointly provided by + multiple SPs, care should be taken to ensure that a labeled packet + is accepted from a neighboring router in another SP only if its top + label is one which was actually distributed to that router. + + + + + + + + +Callon & Suzuki Informational [Page 50] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + o Applicability + + MPLS is the only one of the encapsulation techniques that cannot be + guaranteed to run over any IP network. Hence it would not be + applicable when transparency to the Internet is a requirement. + + If the VPN backbone consists of several cooperating SP networks + which support MPLS, then the adjacent networks may support MPLS at + their interconnects. If two cooperating SP networks which support + MPLS are separated by a third which does not support MPLS, then + MPLS-in-IP or MPLS-in-IPsec tunneling may be done between them. + +4.4. PE-PE Distribution of VPN Routing Information + + In layer 3 PE-based VPNs, PE devices examine the IP headers of + packets they receive from the customer networks. Forwarding is based + on routing information received from the customer network. This + implies that the PE devices need to participate in some manner in + routing for the customer network. Section 3.3 discussed how routing + would be done in the customer network, including the customer + interface. In this section, we discuss ways in which the routing + information from a particular VPN may be passed, over the shared VPN + backbone, among the set of PEs attaching to that VPN. + + The PEs needs to distribute two types of routing information to each + other: (i) Public Routing: routing information which specifies how to + reach addresses on the VPN backbone (i.e., "public addresses"); call + this "public routing information" (ii) VPN Routing: routing + information obtained from the CEs, which specifies how to reach + addresses ("private addresses") that are in the VPNs. + + The way in which routing information in the first category is + distributed is outside the scope of this document; we discuss only + the distribution of routing information in the second category. Of + course, one of the requirements for distributing VPN routing + information is that it be kept separate and distinct from the public + information. Another requirement is that the distribution of VPN + routing information not destabilize or otherwise interfere with the + distribution of public routing information. + + Similarly, distribution of VPN routing information associated with + one VPN should not destabilize or otherwise interfere with the + operation of other VPNs. These requirements are, for example, + relevant in the case that a private network might be suffering from + instability or other problems with its internal routing, which might + be propagated to the VPN used to support that private network. + + + + + +Callon & Suzuki Informational [Page 51] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + Note that this issue does not arise in CE-based VPNs, as in CE-based + VPNs, the PE devices do not see packets from the VPN until after the + packets haven been encapsulated in an outer header that has only + public addresses. + +4.4.1. Options for VPN Routing in the SP + + The following technologies can be used for exchanging VPN routing + information discussed in sections 3.3.1.3 and 4.1. + + o Static routing + + o RIP [RFC2453] + + o OSPF [RFC2328] + + o BGP-4 [RFC1771] + +4.4.2. VPN Forwarding Instances (VFIs) + + In layer 3 PE-based VPNs, the PE devices receive unencapsulated IP + packets from the CE devices, and the PE devices use the IP + destination addresses in these packets to help make their forwarding + decisions. In order to do this properly, the PE devices must obtain + routing information from the customer networks. This implies that + the PE device participates in some manner in the customer network's + routing. + + In layer 3 PE-based VPNs, a single PE device connected to several CE + devices that are in the same VPN, and it may also be connected to CE + devices of different VPNs. The route which the PE chooses for a + given IP destination address in a given packet will depend on the VPN + from which the packet was received. A PE device must therefore have + a separate forwarding table for each VPN to which it is attached. We + refer to these forwarding tables as "VPN Forwarding Instances" + (VFIs), as defined in section 2.1. + + A VFI contains routes to locally attached VPN sites, as well as + routes to remote VPN sites. Section 4.4 discusses the way in which + routes to remote sites are obtained. + + Routes to local sites may be obtained in several ways. One way is to + explicitly configure static routes into the VFI. This can be useful + in simple deployments, but it requires that one or more devices in + the customer's network be configured with static routes (perhaps just + a default route), so that traffic will be directed from the site to + the PE device. + + + + +Callon & Suzuki Informational [Page 52] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + Another way is to have the PE device be a routing peer of the CE + device, in a routing algorithm such as RIP, OSPF, or BGP. Depending + on the deployment scenario, the PE might need to advertise a large + number of routes to each CE (e.g., all the routes which the PE + obtained from remote sites in the CE's VPN), or it might just need to + advertise a single default route to the CE. + + A PE device uses some resources in proportion to the number of VFIs + that it has, particularly if a distinct dynamic routing protocol + instance is associated with each VFI. A PE device also uses some + resources in proportion to the total number of routes it supports, + where the total number of routes includes all the routes in all its + VFIs, and all the public routes. These scaling factors will limit + the number of VPNs which a single PE device can support. + + When dynamic routing is used between a PE and a CE, it is not + necessarily the case that each VFI is associated with a single + routing protocol instance. A single routing protocol instance may + provide routing information for multiple VFIs, and/or multiple + routing protocol instances might provide information for a single + VFI. See sections 4.4.3, 4.4.4, 3.3.1, and 3.3.1.3 for details. + + There are several options for how VPN routes are carried between the + PEs, as discussed below. + +4.4.3. Per-VPN Routing + + One option is to operate separate instances of routing protocols + between the PEs, one instance for each VPN. When this is done, + routing protocol packets for each customer network need to be + tunneled between PEs. This uses the same tunneling method, and + optionally the same tunnels, as is used for transporting VPN user + data traffic between PEs. + + With per-VPN routing, a distinct routing instance corresponding to + each VPN exists within the corresponding PE device. VPN-specific + tunnels are set up between PE devices (using the control mechanisms + that were discussed in sections 3 and 4). Logically these tunnels + are between the VFIs which are within the PE devices. The tunnels + then used as if they were normal links between normal routers. + Routing protocols for each VPN operate between VFIs and the routers + within the customer network. + + This approach establishes, for each VPN, a distinct "control plane" + operating across the VPN backbone. There is no sharing of control + plane by any two VPNs, nor is there any sharing of control plane by + + + + + +Callon & Suzuki Informational [Page 53] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + the VPN routing and the public routing. With this approach each PE + device can logically be thought of as consisting of multiple + independent routers. + + The multiple routing instances within the PE device may be separate + processes, or may be in the same process with different data + structures. Similarly, there may be mechanisms internal to the PE + devices to partition memory and other resources between routing + instances. The mechanisms for implementing multiple routing + instances within a single physical PE are outside of the scope of + this framework document, and are also outside of the scope of other + standards documents. + + This approach tends to minimize the explicit interactions between + different VPNs, as well as between VPN routing and public routing. + However, as long as the independent logical routers share the same + hardware, there is some sharing of resources, and interactions are + still possible. Also, each independent control plane has its + associated overheads, and this can raise issues of scale. For + example, the PE device must run a potentially large number of + independent routing "decision processes," and must also maintain a + potentially very large number of routing adjacencies. + +4.4.4. Aggregated Routing Model + + Another option is to use one single instance of a routing protocol + for carrying VPN routing information between the PEs. In this + method, the routing information for multiple different VPNs is + aggregated into a single routing protocol. + + This approach greatly reduces the number of routing adjacencies which + the PEs must maintain, since there is no longer any need to maintain + more than one such adjacency between a given pair of PEs. If the + single routing protocol supports a hierarchical route distribution + mechanism (such as BGP's "route reflectors"), the PE-PE adjacencies + can be completely eliminated, and the number of backbone adjacencies + can be made into a small constant which is independent of the number + of PE devices. This improves the scaling properties. + + Additional routing instances may still be needed to support the + exchange of routing information between the PE and its locally + attached CEs. These can be eliminated, with a consequent further + improvement in scalability, by using static routing on the PE-CE + interfaces, or possibly by having the PE-CE routing interaction use + the same protocol instance that is used to distribute VPN routes + across the VPN backbone (see section 4.4.4.2 for a way to do this). + + + + + +Callon & Suzuki Informational [Page 54] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + With this approach, the number of routing protocol instances in a PE + device does not depend on the number of CEs supported by the PE + device, if the routing between PE and CE devices is static or BGP-4. + However, CE and PE devices in a VPN exchange route information inside + a VPN using a routing protocol except for BGP-4, the number of + routing protocol entities in a PE device depends on the number of CEs + supported by the PE device. + + In principle it is possible for routing to be aggregated using either + BGP or on an IGP. + +4.4.4.1. Aggregated Routing with OSPF or IS-IS + + When supporting VPNs, it is likely that there can be a large number + of VPNs supported within any given SP network. In general only a + small number of PE devices will be interested in the operation of any + one VPN. Thus while the total amount of routing information related + to the various customer networks will be very large, any one PE needs + to know about only a small number of such networks. + + Generally SP networks use OSPF or IS-IS for interior routing within + the SP network. There are very good reasons for this choice, which + are outside of the scope of this document. + + Both OSPF and IS-IS are link state routing protocols. In link state + routing, routing information is distributed via a flooding protocol. + The set of routing peers is in general not fully meshed, but there is + a path from any router in the set to any other. Flooding ensures + that routing information from any one router reaches all the others. + This requires all routers in the set to maintain the same routing + information. One couldn't withhold any routing information from a + particular peer unless it is known that none of the peers further + downstream will need that information, and in general this cannot be + known. + + As a result, if one tried to do aggregated routing by using OSPF, + with all the PEs in the set of routing peers, all the PEs would end + up with the exact same routing information; there is no way to + constrain the distribution of routing information to a subset of the + PEs. Given the potential magnitude of the total routing information + required for supporting a large number of VPNs, this would have + unfortunate scaling implications. + + In some cases VPNs may span multiple areas within a provider, or span + multiple providers. If VPN routing information were aggregated into + the IGP used within the provider, then some method would need to be + used to extend the reach of IGP routing information between areas and + between SPs. + + + +Callon & Suzuki Informational [Page 55] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +4.4.4.2. Aggregated Routing with BGP + + In order to use BGP for aggregated routing, the VPN routing + information must be clearly distinguished from the public Internet + routing information. This is typically done by making use of BGP's + capability of handling multiple address families, and treating the + VPN routes as being in a different address family than the public + Internet routes. Typically a VPN route also carries attributes which + depend on the particular VPN or VPNs to which that route belongs. + + When BGP is used for carrying VPN information, the total amount of + information carried in BGP (including the Internet routes and VPN + routes) may be quite large. As noted above, there may be a large + number of VPNs which are supported by any particular provider, and + the total amount of routing information associated with all VPNs may + be quite large. However, any one PE will in general only need to be + aware of a small number of VPNs. This implies that where VPN routing + information is aggregated into BGP, it is desirable to be able to + limit which VPN information is distributed to which PEs. + + In "Interior BGP" (IBGP), routing information is not flooded; it is + sent directly, over a TCP connection, to the peer routers (or to a + route reflector). These peer routers (unless they are route + reflectors) are then not even allowed to redistribute the information + to each other. BGP also has a comprehensive set of mechanisms for + constraining the routing information that any one peer sends to + another, based on policies established by the network administration. + Thus IBGP satisfies one of the requirements for aggregated routing + within a single SP network - it makes it possible to ensure that + routing information relevant to a particular VPN is processed only by + the PE devices that attach to that VPN. All that is necessary is + that each VPN route be distributed with one or more attributes which + identify the distribution policies. Then distribution can be + constrained by filtering against these attributes. + + In "Exterior BGP" (EBGP), routing peers do redistribute routing + information to each other. However, it is very common to constrain + the distribution of particular items of routing information so that + they only go to those exterior peers who have a "need to know," + although this does require a priori knowledge of which paths may + validly lead to which addresses. In the case of VPN routing, if a + VPN is provided by a small set of cooperating SPs, such constraints + can be applied to ensure that the routing information relevant to + that VPN does not get distributed anywhere it doesn't need to be. To + the extent that a particular VPN is supported by a small number of + cooperating SPs with private peering arrangements, this is + + + + + +Callon & Suzuki Informational [Page 56] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + particularly straightforward, as the set of EBGP neighbors which need + to know the routing information from a particular VPN is easier to + determine. + + BGP also has mechanisms (such as "Outbound Route Filtering," ORF) + which enable the proper set of VPN routing distribution constraints + to be dynamically distributed. This reduces the management burden of + setting up the constraints, and hence improves scalability. + + Within a single routing domain (in the layer 3 VPN context, this + typically means within a single SP's network), it is common to have + the IBGP routers peer directly with one or two route reflectors, + rather than having them peer directly with each other. This greatly + reduces the number of IBGP adjacencies which any one router must + support. Further, a route reflector does not merely redistribute + routing information, it "digests" the information first, by running + its own decision processes. Only routes which survive the decision + process are redistributed. + + As a result, when route reflectors are used, the amount of routing + information carried around the network, and in particular, the amount + of routing information which any given router must receive and + process, is greatly reduced. This greatly increases the scalability + of the routing distribution system. + + It has already been stated that a given PE has VPN routing + information only for those PEs to which it is directly attached. It + is similarly important, for scalability, to ensure that no single + route reflector should have to have all the routing information for + all VPNs. It is after all possible for the total number of VPN + routes (across all VPNs supported by an SP) to exceed the number + which can be supported by a single route reflector. Therefore, the + VPN routes may themselves be partitioned, with some route reflectors + carrying one subset of the VPN routes and other route reflectors + carrying a different subset. The route reflectors which carry the + public Internet routes can also be completely separate from the route + reflectors that carry the VPN routes. + + The use of outbound route filters allows any one PE and any one route + reflector to exchange information about only those VPNs which the PE + and route reflector are both interested in. This in turn ensures + that each PE and each route reflector receives routing information + only about the VPNs which it is directly supporting. Large SPs which + support a large number of VPNs therefore can partition the + information which is required for support of those VPNs. + + + + + + +Callon & Suzuki Informational [Page 57] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + Generally a PE device will be restricted in the total number of + routes it can support, whether those are public Internet routes or + VPN routes. As a result, a PE device may be able to be attached to a + larger number of VPNs if it does not also need to support Internet + routes. + + The way in which VPN routes are partitioned among PEs and/or route + reflectors is a deployment issue. With suitable deployment + procedures, the limited capacity of these devices will not limit the + number of VPNs that can be supported. + + Similarly, whether a given PE and/or route reflector contains + Internet routes as well as VPN routes is a deployment issue. If the + customer networks served by a particular PE do not need the Internet + access, then that PE does not need to be aware of the Internet + routes. If some or all of the VPNs served by a particular PE do need + the Internet access, but the PE does not contain Internet routes, + then the PE can maintain a default route that routes all the Internet + traffic from that PE to a different router within the SP network, + where that other router holds the full the Internet routing table. + With this approach the PE device needs only a single default route + for all the Internet routes. + + For the reasons given above, the BGP protocol seems to be a + reasonable protocol to use for distributing VPN routing information. + Additional reasons for the use of BGP are: + + o BGP has been proven to be useful for distributing very large + amounts of routing information; there isn't any routing + distribution protocol which is known to scale any better. + + o The same BGP instance that is used for PE-PE distribution of VPN + routes can be used for PE-CE route distribution, if CE-PE routing + is static or BGP. PEs and CEs are really parts of distinct + Autonomous Systems, and BGP is particularly well-suited for + carrying routing information between Autonomous Systems. + + On the other hand, BGP is also used for distributing public Internet + routes, and it is crucially important that VPN route distributing not + compromise the distribution of public Internet routes in any way. + This issue is discussed in the following section. + + + + + + + + + + +Callon & Suzuki Informational [Page 58] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +4.4.5. Scalability and Stability of Routing with Layer 3 PE-based VPNs + + For layer 3 PE-based VPNs, there are likely to be cases where a + service provider supports Internet access over the same link that is + used for VPN service. Thus, a particular CE to PE link may carry + both private network IP packets (for transmission between sites of + the private network using VPN services) as well as public Internet + traffic (for transmission from the private site to the Internet, and + for transmission to the private site from the Internet). This + section looks at the scalability and stability of routing in this + case. It is worth noting that this sort of issue may be applicable + where per-VPN routing is used, as well as where aggregated routing is + used. + + For layer 3 PE-based VPNs, it is necessary for the PE devices to be + able to forward IP packets using the addresses spaces of the + supported private networks, as well as using the full Internet + address space. This implies that PE devices might in some cases + participate in routing for the private networks, as well as for the + public Internet. + + In some cases the routing demand on the PE might be low enough, and + the capabilities of the PE, might be great enough, that it is + reasonable for the PE to participate fully in routing for both + private networks and the public Internet. For example, the PE device + might participate in normal operation of BGP as part of the global + Internet. The PE device might also operate routing protocols (or in + some cases use static routing) to exchange routes with CE devices. + + For large installations, or where PE capabilities are more limited, + it may be undesirable for the PE to fully participate in routing for + both VPNs as well as the public Internet. For example, suppose that + the total volume of routes and routing instances supported by one PE + across multiple VPNs is very large. Suppose furthermore that one or + more of the private networks suffers from routing instabilities, for + example resulting in a large number of routing updates being + transmitted to the PE device. In this case it is important to + prevent such routing from causing any instability in the routing used + in the global Internet. + + In these cases it may be necessary to partition routing, so that the + PE does not need to maintain as large a collection of routes, and so + that the PE is not able to adversely effect Internet routing. Also, + given that the total number of route prefixes and the total number of + routing instances which the PE needs to maintain might be very large, + it may be desirable to limit the participation in Internet routing + for those PEs which are supporting a large number of VPNs or which + are supporting large VPNs. + + + +Callon & Suzuki Informational [Page 59] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + Consider a case where a PE is supporting a very large number of VPNs, + some of which have a large number of sites. To pick a VERY large + example, let's suppose 1000 VPNs, with an average of 100 sites each, + plus 10 prefixes per site on average. Consider that the PE also + needs to be able to route traffic to the Internet in general. In + this example the PE might need to support approximately 1,000,000 + prefixes for the VPNs, plus more than 100,000 prefixes for the + Internet. If augmented and aggregated routing is used, then this + implies a large number of routes which may be advertised in a single + routing protocol (most likely BGP). If the VR approach is used, then + there are also 100,000 neighbor adjacencies in the various per-VPN + routing protocol instances. In some cases this number of routing + prefixes and/or this number of adjacencies might be difficult to + support in one device. + + In this case, an alternate approach is to limit the PE's + participation in Internet routing to the absolute minimum required: + Specifically the PE will need to know which Internet address prefixes + are reachable via directly attached CE devices. All other Internet + routes may be summarized into a single default route pointing to one + or more P routers. In many cases the P routers to which the default + routes are directed may be the P routers to which the PE device is + directly attached (which are the ones which it needs to use for + forwarding most Internet traffic). Thus if there are M CE devices + directly connected to the PE, and if these M CE devices are the next + hop for a total of N globally addressable Internet address prefixes, + then the PE device would maintain N+1 routes corresponding to + globally routable Internet addresses. + + In this example, those PE devices which provide VPN service run + routing to compute routes for the VPNs, but don't operate Internet + routing, and instead use only a default route to route traffic to all + Internet destinations (not counting the addresses which are reachable + via directly attached CE devices). The P routers need to maintain + Internet routes, and therefore take part in Internet routing + protocols. However, the P routers don't know anything about the VPN + routes. + + In some cases the maximum number of routes and/or routing instances + supportable via a single PE device may limit the number of VPNs which + can be supported by that PE. For example, in some cases this might + require that two different PE devices be used to support VPN services + for a set of multiple CEs, even if one PE might have had sufficient + throughput to handle the data traffic from the full set of CEs. + Similarly, the amount of resources which any one VPN is permitted to + use in a single PE might be restricted. + + + + + +Callon & Suzuki Informational [Page 60] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + There will be cases where it is not necessary to partition the + routing, since the PEs will be able to maintain all VPN routes and + all Internet routes without a problem. However, it is important that + VPN approaches allow partitioning to be used where needed in order to + prevent future scaling problems. Again, making the system scalable + is a matter of proper deployment. + + It may be wondered whether it is ever desirable to have both Internet + routing and VPN routing running in a single PE device or route + reflector. In fact, if there is even a single system running both + Internet routing and VPN routing, doesn't that raise the possibility + that a disruption within the VPN routing system will cause a + disruption within the Internet routing system? + + Certainly this possibility exists in theory. To minimize that + possibility, BGP implementations which support multiple address + families should be organized so as to minimize the degree to which + the processing and distribution of one address family affects the + processing and distribution of another. This could be done, for + example, by suitable partitioning of resources. This partitioning + may be helpful both to protect Internet routing from VPN routing, and + to protect well behaved VPN customers from "mis-behaving" VPNs. Or + one could try to protect the Internet routing system from the VPN + routing system by giving preference to the Internet routing. Such + implementation issues are outside the scope of this document. If one + has inadequate confidence in an implementation, deployment procedures + can be used, as explained above, to separate the Internet routing + from the VPN routing. + +4.5. Quality of Service, SLAs, and IP Differentiated Services + + The following technologies for QoS/SLA may be applicable to PPVPNs. + +4.5.1. IntServ/RSVP [RFC2205] [RFC2208] [RFC2210] [RFC2211] [RFC2212] + + Integrated services, or IntServ for short, is a mechanism for + providing QoS/SLA by admission control. RSVP is used to reserve + network resources. The network needs to maintain a state for each + reservation. The number of states in the network increases in + proportion to the number of concurrent reservations. + + In some cases, IntServ on the edge of a network (e.g., over the + customer interface) may be mapped to DiffServ in the SP network. + + + + + + + + +Callon & Suzuki Informational [Page 61] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +4.5.2. DiffServ [RFC2474] [RFC2475] + + IP differentiated service, or DiffServ for short, is a mechanism for + providing QoS/SLA by differentiating traffic. Traffic entering a + network is classified into several behavior aggregates at the network + edge and each is assigned a corresponding DiffServ codepoint. Within + the network, traffic is treated according to its DiffServ codepoint. + Some behavior aggregates have already been defined. Expedited + forwarding behavior [RFC3246] guarantees the QoS, whereas assured + forwarding behavior [RFC2597] differentiates traffic packet + precedence values. + + When DiffServ is used, network provisioning is done on a + per-traffic-class basis. This ensures a specific class of service + can be achieved for a class (assuming that the traffic load is + controlled). All packets within a class are then treated equally + within an SP network. Policing is done at input to prevent any one + user from exceeding their allocation and therefore defeating the + provisioning for the class as a whole. If a user exceeds their + traffic contract, then the excess packets may optionally be + discarded, or may be marked as "over contract". Routers throughout + the network can then preferentially discard over contract packets in + response to congestion, in order to ensure that such packets do not + defeat the service guarantees intended for in contract traffic. + +4.6. Concurrent Access to VPNs and the Internet + + In some scenarios, customers will need to concurrently have access to + their VPN network and to the public Internet. + + Two potential problems are identified in this scenario: the use of + private addresses and the potential security threads. + + o The use of private addresses + + The IP addresses used in the customer's sites will possibly belong + to a private routing realm, and as such be unusable in the public + Internet. This means that a network address translation function + (e.g., NAT) will need to be implemented to allow VPN customers to + access the Public Internet. + + In the case of layer 3 PE-based VPNs, this translation function + will be implemented in the PE to which the CE device is connected. + In the case of layer 3 provider-provisioned CE-based VPNs, this + translation function will be implemented on the CE device itself. + + + + + + +Callon & Suzuki Informational [Page 62] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + o Potential security threat + + As portions of the traffic that flow to and from the public + Internet are not necessarily under the SP's nor the customer's + control, some traffic analyzing function (e.g., a firewall + function) will be implemented to control the traffic entering and + leaving the VPN. + + In the case of layer 3 PE-based VPNs, this traffic analyzing + function will be implemented in the PE device (or in the VFI + supporting a specific VPN), while in the case of layer 3 provider + provisioned CE-based VPNs, this function will be implemented in the + CE device. + + o Handling of a customer IP packet destined for the Internet + + In the case of layer 3 PE-based VPNs, an IP packet coming from a + customer site will be handled in the corresponding VFI. If the IP + destination address in the packet's IP header belongs to the + Internet, multiple scenarios are possible, based on the adapted + policy. As a first possibility, when Internet access is not + allowed, the packet will be dropped. As a second possibility, when + (controlled) Internet access is allowed, the IP packet will go + through the translation function and eventually through the traffic + analyzing function before further processing in the PE's global + Internet forwarding table. + + Note that different implementation choices are possible. One can + choose to implement the translation and/or the traffic analyzing + function in every VFI (or CE device in the context of layer 3 + provider-provisioned CE-based VPNs), or alternatively in a subset or + even in only one VPN network element. This would mean that the + traffic to/from the Internet from/to any VPN site needs to be routed + through that single network element (this is what happens in a hub + and spoke topology for example). + +4.7. Network and Customer Management of VPNs + +4.7.1. Network and Customer Management + + Network and customer management systems responsible for managing VPN + networks have several challenges depending on the type of VPN network + or networks they are required to manage. + + For any type of provider-provisioned VPN it is useful to have one + place where the VPN can be viewed and optionally managed as a whole. + The NMS may therefore be a place where the collective instances of a + VPN are brought together into a cohesive picture to form a VPN. To + + + +Callon & Suzuki Informational [Page 63] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + be more precise, the instances of a VPN on their own do not form the + VPN; rather, the collection of disparate VPN sites together forms the + VPN. This is important because VPNs are typically configured at the + edges of the network (i.e., PEs) either through manual configuration + or auto-configuration. This results in no state information being + kept in within the "core" of the network. Sometimes little or no + information about other PEs is configured at any particular PE. + + Support of any one VPN may span a wide range of network equipment, + potentially including equipment from multiple implementors. Allowing + a unified network management view of the VPN therefore is simplified + through use of standard management interfaces and models. This will + also facilitate customer self-managed (monitored) network devices or + systems. + + In cases where significant configuration is required whenever a new + service is provisioned, it is important for scalability reasons that + the NMS provide a largely automated mechanism for this operation. + Manual configuration of VPN services (i.e., new sites, or + re-provisioning existing ones), could lead to scalability issues, and + should be avoided. It is thus important for network operators to + maintain visibility of the complete picture of the VPN through the + NMS system. This must be achieved using standard protocols such as + SNMP, XML, or LDAP. Use of proprietary command-line interfaces has + the disadvantage that proprietary interfaces do not lend themselves + to standard representations of managed objects. + + To achieve the goals outlined above for network and customer + management, device implementors should employ standard management + interfaces to expose the information required to manage VPNs. To + this end, devices should utilize standards-based mechanisms such as + SNMP, XML, or LDAP to achieve this goal. + +4.7.2. Segregated Access of VPN Information + + Segregated access of VPNs information is important in that customers + sometimes require access to information in several ways. First, it + is important for some customers (or operators) to access PEs, CEs or + P devices within the context of a particular VPN on a per-VPN-basis + in order to access statistics, configuration or status information. + This can either be under the guise of general management, + operator-initiated provisioning, or SLA verification (SP, customer or + operator). + + + + + + + + +Callon & Suzuki Informational [Page 64] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + Where users outside of the SP have access to information from PE or P + devices, managed objects within the managed devices must be + accessible on a per-VPN basis in order to provide the customer, the + SP or the third party SLA verification agent with a high degree of + security and convenience. + + Security may require authentication or encryption of network + management commands and information. Information hiding may use + encryption or may isolate information through a mechanism that + provides per-VPN access. Authentication or encryption of both + requests and responses for managed objects within a device may be + employed. Examples of how this can be achieved include IPsec + tunnels, SNMPv3 encryption for SNMP-based management, or encrypted + telnet sessions for CLI-based management. + + In the case of information isolation, any one customer should only be + able to view information pertaining to its own VPN or VPNs. + Information isolation can also be used to partition the space of + managed objects on a device in such a way as to make it more + convenient for the SP to manage the device. In certain deployments, + it is also important for the SP to have access to information + pertaining to all VPNs, thus it may be important for the SP to create + virtual VPNs within the management domain which overlap across + existing VPNs. + + If the user is allowed to change the configuration of their VPN, then + in some cases customers may make unanticipated changes or even + mistakes, thereby causing their VPN to mis-behave. This in turn may + require an audit trail to allow determination of what went wrong and + some way to inform the carrier of the cause. + + The segregation and security access of information on a per-VPN basis + is also important when the carrier of carrier's paradigm is employed. + In this case it may be desirable for customers (i.e., sub-carriers or + VPN wholesalers) to manage and provision services within their VPNs + on their respective devices in order to reduce the management + overhead cost to the carrier of carrier's SP. In this case, it is + important to observe the guidelines detailed above with regard to + information hiding, isolation and encryption. It should be noted + that there may be many flavors of information hiding and isolation + employed by the carrier of carrier's SP. If the carrier of carriers + SP does not want to grant the sub-carrier open access to all of the + managed objects within their PEs or P routers, it is necessary for + devices to provide network operators with secure and scalable per-VPN + network management access to their devices. For the reasons outlined + above, it therefore is desirable to provide standard mechanisms for + achieving these goals. + + + + +Callon & Suzuki Informational [Page 65] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +5. Interworking Interface + + This section describes interworking between different layer 3 VPN + approaches. This may occur either within a single SP network, or at + an interface between SP networks. + +5.1. Interworking Function + + Figure 2.5 (see section 2.1.3) illustrates a case where one or more + PE devices sits at the logical interface between two different layer + 3 VPN approaches. With this approach the interworking function + occurs at a PE device which participates in two or more layer 3 VPN + approaches. This might be physically located at the boundary between + service providers, or might occur at the logical interface between + different approaches within a service provider. + + With layer 3 VPNs, the PE devices are in general layer 3 routers, and + are able to forward layer 3 packets on behalf of one or more private + networks. For example, it may be common for a PE device supporting + layer 3 VPNs to contain multiple logical VFIs (sections 1, 2, 3.3.1, + 4.4.2) each of which supports forwarding and routing for a private + network. + + The PE which implements an interworking function needs to participate + in the normal manner in the operation of multiple approaches for + supporting layer 3 VPNs. This involves the functions discussed + elsewhere in this document, such as VPN establishment and + maintenance, VPN tunneling, routing for the VPNs, and QoS + maintenance. + + VPN establishment and maintenance information, as well as VPN routing + information will need to be passed between VPN approaches. This + might involve passing of information between approaches as part of + the interworking function. Optionally this might involve manual + configuration so that, for example, all of the participants in the + VPN on one side of the interworking function considers the PE + performing the interworking function to be the point to use to + contact a large number of systems (comprising all systems supported + by the VPN located on the other side of the interworking function). + +5.2. Interworking Interface + + Figure 2.6 (see section 2.1.3) illustrates a case where interworking + is performed by use of tunnels between PE devices. In this case each + PE device participates in the operation of one layer 3 VPN approach. + Interworking between approaches makes use of per-VPN tunnels set up + between PE. Each PEs operates as if it is a normal PEs, and + considers each tunnel to be associated with a particular VPN. + + + +Callon & Suzuki Informational [Page 66] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + Information can then be transmitted over the interworking interface + in the same manner that it is transmitted over a CE to PE interface. + + In some cases establishment of the interworking interfaces may + require manual configuration, for example to allow each PE to + determine which tunnels should be set up, and which private network + is associated with each tunnel. + +5.2.1. Tunnels at the Interworking Interface + + In order to implement an interworking interface between two SP + networks for supporting one or more PPVPN spanning both SP networks, + a mechanism for exchanging customer data as well as associated + control data (e.g., routing data) should be provided. + + Since PEs of SP networks to be interworked may only communicate over + a network cloud, an appropriate tunnel established through the + network cloud will be used for exchanging data associated with the + PPVPN realized by interworked SP networks. + + In this way, each interworking tunnel is assigned to an associated + layer 3 PE-based VPN; in other words, a tunnel is terminated by a VFI + (associated with the PPVPN) in a PE device. This scenario results in + implementation of traffic isolation for PPVPNs supported by an + Interworking Interface and spanning multiple SP networks (in each SP + network, there is no restriction in applied technology for providing + PPVPN so that both sides may adopt different technologies). The way + of the assignment of each tunnel for a PE-based VPN is specific to + implementation technology used by the SP network that is + inter-connected to the tunnel at the PE device. + + The identifier of layer 3 PE-based VPN at each end is meaningful only + in the context of the specific technology of an SP network and need + not be understood by another SP network interworking through the + tunnel. + + The following tunneling mechanisms may be used at the interworking + interface. Available tunneling mechanisms include (but are not + limited to): GRE, IP-in-IP, IP over ATM, IP over FR, IPsec, and MPLS. + + o GRE + + The tunnels at interworking interface may be provided by GRE + [RFC2784] with key and sequence number extensions [RFC2890]. + + + + + + + +Callon & Suzuki Informational [Page 67] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + o IP-in-IP + + The tunnels at interworking interface may be provided by IP-in-IP + [RFC2003] [RFC2473]. + + o IP over ATM AAL5 + + The tunnels at interworking interface may be provided by IP over + ATM AAL5 [RFC2684] [RFC2685]. + + o IP over FR + + The tunnels at interworking interface may be provided by IP over + FR. + + o IPsec + + The tunnels at interworking interface may be provided by IPsec + [RFC2401] [RFC2402]. + + o MPLS + + The tunnels at interworking interface may be provided by MPLS + [RFC3031] [RFC3035]. + +5.3. Support of Additional Services + + This subsection describes additional usages for supporting QoS/SLA, + customer visible routing, and customer visible multicast routing, as + services of layer 3 PE-based VPNs spanning multiple SP networks. + + o QoS/SLA + + QoS/SLA management mechanisms for GRE, IP-in-IP, IPsec, and MPLS + tunnels were discussed in sections 4.3.6 and 4.5. See these + sections for details. FR and ATM are capable of QoS guarantee. + Thus, QoS/SLA may also be supported at the interworking interface. + + o Customer visible routing + + As described in section 3.3, customer visible routing enables the + exchange of unicast routing information between customer sites + using a routing protocol such as OSPF, IS-IS, RIP, and BGP-4. On + the interworking interface, routing packets, such as OSPF packets, + are transmitted through a tunnel associated with a layer 3 PE-based + VPN in the same manner as that for user data packets within the + VPN. + + + + +Callon & Suzuki Informational [Page 68] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + o Customer visible multicast routing + + Customer visible multicast routing enables the exchange of + multicast routing information between customer sites using a + routing protocol such as DVMRP and PIM. On the interworking + interface, multicast routing packets are transmitted through a + tunnel associated with a layer 3 PE-based VPN in the same manner as + that for user data packets within the VPN. This enables a + multicast tree construction within the layer 3 PE-based VPN. + +5.4. Scalability Discussion + + This subsection discusses scalability aspect of the interworking + scenario. + + o Number of routing protocol instances + + In the interworking scenario discussed in this section, the number + of routing protocol instances and that of layer 3 PE-based VPNs are + the same. However, the number of layer 3 PE-based VPNs in a PE + device is limited due to resource amount and performance of the PE + device. Furthermore, each tunnel is expected to require some + bandwidth, but total of the bandwidth is limited by the capacity of + a PE device; thus, the number of the tunnels is limited by the + capabilities of the PE. This limit is not a critical drawback. + + o Performance of packet transmission + + The interworking scenario discussed in this section does not place + any additional burden on tunneling technologies used at + interworking interface. Since performance of packet transmission + depends on a tunneling technology applied, it should be carefully + selected when provisioning interworking. For example, IPsec places + computational requirements for encryption/decryption. + +6. Security Considerations + + Security is one of the key requirements concerning VPNs. In network + environments, the term security currently covers many different + aspects of which the most important from a networking perspective are + shortly discussed hereafter. + + Note that the Provider-Provisioned VPN requirements document explains + the different security requirements for Provider-Provisioned VPNs in + more detail. + + + + + + +Callon & Suzuki Informational [Page 69] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +6.1. System Security + + Like in every network environment, system security is the most + important security aspect that must be enforced. Care must be taken + that no unauthorized party can gain access to the network elements + that control the VPN functionality (e.g., PE and CE devices). + + As the VPN customers are making use of the shared SP's backbone, the + SP must ensure the system security of its network elements and + management systems. + +6.2. Access Control + + When a network or parts of a network are private, one of the + requirements is that access to that network (part) must be restricted + to a limited number of well-defined customers. To accomplish this + requirement, the responsible authority must control every possible + access to the network. + + In the context of PE-based VPNs, the access points to a VPN must be + limited to the interfaces that are known by the SP. + +6.3. Endpoint Authentication + + When one receives data from a certain entity, one would like to be + sure of the identity of the sending party. One would like to be sure + that the sending entity is indeed whom he or she claims to be, and + that the sending entity is authorized to reach a particular + destination. + + In the context of layer 3 PE-based VPNs, both the data received by + the PEs from the customer sites via the SP network and destined for a + customer site should be authenticated. + + Note that different methods for authentication exist. In certain + circumstances, identifying incoming packets with specific customer + interfaces might be sufficient. In other circumstances, (e.g., in + temporary access (dial-in) scenarios), a preliminary authentication + phase might be requested. For example, when PPP is used. Or + alternatively, an authentication process might need to be present in + every data packet transmitted (e.g., in remote access via IPsec). + + For layer 3 PE-based VPNs, VPN traffic is tunneled from PE to PE and + the VPN tunnel endpoint will check the origin of the transmitted + packet. When MPLS is used for VPN tunneling, the tunnel endpoint + + + + + + +Callon & Suzuki Informational [Page 70] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + checks whether the correct labels are used. When IPsec is used for + VPN tunneling, the tunnel endpoint can make use of the IPsec + authentication mechanisms. + + In the context of layer 3 provider-provisioned CE-based VPNs, the + endpoint authentication is enforced by the CE devices. + +6.4. Data Integrity + + When information is exchanged over a certain part of a network, one + would like to be sure that the information that is received by the + receiving party of the exchange is identical to the information that + was sent by the sending party of the exchange. + + In the context of layer 3 PE-based VPNs, the SP assures the data + integrity by ensuring the system security of every network element. + Alternatively, explicit mechanisms may be implemented in the used + tunneling technique (e.g., IPsec). + + In the context of layer 3 provider-provisioned CE-based VPNs, the + underlying network that will tunnel the encapsulated packets will not + always be of a trusted nature, and the CE devices that are + responsible for the tunneling will also ensure the data integrity, + e.g., by making use of the IPsec architecture. + +6.5. Confidentiality + + One would like that the information that is being sent from one party + to another is not received and not readable by other parties. With + traffic flow confidentiality one would like that even the + characteristics of the information sent is hidden from third parties. + Data privacy is the confidentiality of the user data. + + In the context of PPVPNs, confidentiality is often seen as the basic + service offered, as the functionalities of a private network are + offered over a shared infrastructure. + + In the context of layer 3 PE-based VPNs, as the SP network (and more + precisely the PE devices) participates in the routing and forwarding + of the customer VPN data, it is the SP's responsibility to ensure + confidentiality. The technique used in PE-based VPN solutions is the + ensuring of PE to PE data separation. By implementing VFI's in the + PE devices and by tunneling VPN packets through the shared network + infrastructure between PE devices, the VPN data is always kept in a + separate context and thus separated from the other data. + + + + + + +Callon & Suzuki Informational [Page 71] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + In some situations, this data separation might not be sufficient. + Circumstances where the VPN tunnel traverses other than only trusted + and SP controlled network parts require stronger confidentiality + measures such as cryptographic data encryption. This is the case in + certain inter-SP VPN scenarios or when the considered SP is on itself + a client of a third party network provider. + + For layer 3 provider-provisioned CE-based VPNs, the SP network does + not bare responsibility for confidentiality assurance, as the SP just + offers IP connectivity. The confidentiality will then be enforced at + the CE and will lie in the tunneling (data separation) or in the + cryptographic encryption (e.g., using IPsec) by the CE device. + + Note that for very sensitive user data (e.g., used in banking + operations) the VPN customer may not outsource his data privacy + enforcement to a trusted SP. In those situations, PE-to-PE + confidentiality will not be sufficient and end-to-end cryptographic + encryption will be implemented by the VPN customer on its own private + equipment (e.g., using CE-based VPN technologies or cryptographic + encryption over the provided VPN connectivity). + +6.6. User Data and Control Data + + An important remark is the fact that both the user data and the VPN + control data must be protected. + + Previous subsections were focused on the protection of the user data, + but all the control data (e.g., used to set up the VPN tunnels, used + to configure the VFI's or the CE devices (in the context of layer 3 + provider-provisioned CE-based VPNs)) will also be secured by the SP + to prevent deliberate misconfiguration of provider-provisioned VPNs. + +6.7. Security Considerations for Inter-SP VPNs + + In certain scenarios, a single VPN will need to cross multiple SPs. + + The fact that the edge-to-edge part of the data path does not fall + under the control of the same entity can have security implications, + for example with regards to endpoint authentication. + + Another point is that the SPs involved must closely interact to avoid + conflicting configuration information on VPN network elements (such + as VFIs, PEs, CE devices) connected to the different SPs. + + + + + + + + +Callon & Suzuki Informational [Page 72] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +Appendix A: Optimizations for Tunnel Forwarding + +A.1. Header Lookups in the VFIs + + If layer 3 PE-based VPNs are implemented in the most straightforward + manner, then it may be necessary for PE devices to perform multiple + header lookups in order to forward a single data packet. This + section discusses an example of how multiple lookups might be needed + with the most straightforward implementation. Optimizations which + might optionally be used to reduce the number of lookups are + discussed in the following sections. + + As an example, in many cases a tunnel may be set up between VFIs + within PEs for support of a given VPN. When a packet arrives at the + egress PE, the PE may need to do a lookup on the outer header to + determine which VFI the packet belongs to. The PE may then need to + do a second lookup on the packet that was encapsulated across the VPN + tunnel, using the forwarding table specific to that VPN, before + forwarding the packet. + + For scaling reasons it may be desired in some cases to set up VPN + tunnels, and then multiplex multiple VPN-specific tunnels within the + VPN tunnels. + + This implies that in the most straightforward implementation three + header lookups might be necessary in a single PE device: One lookup + may identify that this is the end of the VPN tunnel (implying the + need to strip off the associated header). A second lookup may + identify that this is the end of the VPN-specific tunnel. This + lookup will result in stripping off the second encapsulating header, + and will identify the VFI context for the final lookup. The last + lookup will make use of the IP address space associated with the VPN, + and will result in the packet being forwarded to the correct CE + within the correct VPN. + +A.2. Penultimate Hop Popping for MPLS + + Penultimate hop popping is an optimization which is described in the + MPLS architecture document [RFC3031]. + + Consider the egress node of any MPLS LSP. The node looks at the + label, and discovers that it is the last node. It then strips off + the label header, and looks at the next header in the packet (which + may be an IP header, or which may have another MPLS header in the + case that hierarchical nesting of LSPs is used). For the last node + on the LSP, the outer MPLS header doesn't actually convey any useful + information (except for one situation discussed below). + + + + +Callon & Suzuki Informational [Page 73] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + For this reason, the MPLS standards allow the egress node to request + that the penultimate node strip the MPLS header. If requested, this + implies that the penultimate node does not have a valid label for the + LSP, and must strip the MPLS header. In this case, the egress node + receives the packet with the corresponding MPLS header already + stripped, and can forward the packet properly without needing to + strip the header for the LSP which ends at that egress node. + + There is one case in which the MPLS header conveys useful + information: This is in the case of a VPN-specific LSP terminating at + a PE device. In this case, the value of the label tells the PE which + LSP the packet is arriving on, which in turn is used to determine + which VFI is used for the packet (i.e., which VPN-specific forwarding + table needs to be used to forward the packet). + + However, consider the case where multiple VPN-specific LSPs are + multiplexed inside one PE-to-PE LSP. Also, let's suppose that in + this case the egress PE has chosen all incoming labels (for all LSPs) + to be unique in the context of that PE. This implies that the label + associated with the PE-to-PE LSP is not needed by the egress node. + Rather, it can determine which VFI to use based on the VPN-specific + LSP. In this case, the egress PE can request that the penultimate + LSR performs penultimate label popping for the PE-to-PE LSP. This + eliminates one header lookup in the egress LSR. + + Note that penultimate node label popping is only applicable for VPN + standards which use multiple levels of LSPs. Even in this case + penultimate node label popping is only done when the egress node + specifically requests it from the penultimate node. + +A.3. Demultiplexing to Eliminate the Tunnel Egress VFI Lookup + + Consider a VPN standard which makes use of MPLS as the tunneling + mechanism. Any standard for encapsulating VPN traffic inside LSPs + needs to specify what degree of granularity is available in terms of + the manner in which user data traffic is assigned to LSPs. In other + words, for any given LSP, the ingress or egress PE device needs to + know which LSPs need to be set up, and the ingress PE needs to know + which set of VPN packets are allowed to be mapped to any particular + LSP. + + Suppose that a VPN standard allows some flexibility in terms of the + mapping of packets to LSPs, and suppose that the standard allows the + egress node to determine the granularity. In this case the egress + node would need to have some way to indicate the granularity to the + ingress node, so that the ingress node will know which packets can be + mapped to each LSP. + + + + +Callon & Suzuki Informational [Page 74] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + In this case, the egress node might decide to have packets mapped to + LSPs in a manner which simplifies the header lookup function at the + egress node. For example, the egress node could determine which set + of packets it will forward to a particular neighbor CE device. The + egress node can then specify that the set of IP packets which are to + use a particular LSP correspond to that specific set of packets. For + packets which arrive on the specified LSP, the egress node does not + need to do a header lookup on the VPN's customer address space: It + can just pop the MPLS header and forward the packet to the + appropriate CE device. If all LSPs are set up accordingly, then the + egress node does not need to do any lookup for VPN traffic which + arrives on LSPs from other PEs (in other words, the PE device will + not need to do a second lookup in its role as an egress node). + + Note that PE devices will most likely also be an ingress routers for + traffic going in the other direction. The PE device will need to do + an address lookup in the customer network's address space in its role + as an ingress node. However, in this direction the PE still needs to + do only a single header lookup. + + When used with MPLS tunnels, this optional optimization reduces the + need for header lookups, at the cost of possibly increasing the + number of label values which need to be assigned (since one label + would need to be assigned for each next-hop CE device, rather than + just one label for every VFI). + + The same approach is also possible when other encapsulations are + used, such as GRE [RFC2784] [RFC2890], IP-in-IP [RFC2003] [RFC2473], + or IPsec [RFC2401] [RFC2402]. This requires that distinct values are + used for the multiplexing field in the tunneling protocol. See + section 4.3.2 for detail. + +Acknowledgments + + This document is output of the framework document design team of the + PPVPN WG. The members of the design team are listed in the + "contributors" and "author's addresses" sections below. + + However, sources of this document are based on various inputs from + colleagues of authors and contributors. We would like to thank + Junichi Sumimoto, Kosei Suzuki, Hiroshi Kurakami, Takafumi Hamano, + Naoto Makinae, Kenichi Kitami, Rajesh Balay, Anoop Ghanwani, Harpreet + Chadha, Samir Jain, Lianghwa Jou, Vijay Srinivasan, and Abbie + Matthews. + + We would also like to thank Yakov Rekhter, Scott Bradner, Dave + McDysan, Marco Carugi, Pascal Menezes, Thomas Nadeau, and Alex Zinin + for their valuable comments and suggestions. + + + +Callon & Suzuki Informational [Page 75] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +Normative References + + [PPVPN-REQ] Nagarajan, A., Ed., "Generic Requirements for Provider + Provisioned Virtual Private Networks (PPVPN)", RFC + 3809, June 2004. + + [L3VPN-REQ] Carugi, M., Ed. and D. McDysan, Ed., "Service + Requirements for Layer 3 Provider Provisioned Virtual + Private Networks (PPVPNs)", RFC 4031, April 2005. + +Informative References + + [BGP-COM] Sangli, S., et al., "BGP Extended Communities + Attribute", Work In Progress, February 2005. + + [MPLS-DIFF-TE] Le Faucheur, F., Ed., "Protocol extensions for support + of Differentiated-Service-aware MPLS Traffic + Engineering", Work In Progress, December 2004. + + [VPN-2547BIS] Rosen, E., et al., "BGP/MPLS VPNs", Work In Progress. + + [VPN-BGP-OSPF] Rosen, E., et al., "OSPF as the Provider/Customer Edge + Protocol for BGP/MPLS IP VPNs", Work In Progress, May + 2005. + + [VPN-CE] De Clercq, J., et al., "An Architecture for Provider + Provisioned CE-based Virtual Private Networks using + IPsec", Work In Progress. + + [VPN-DISC] Ould-Brahim, H., et al., "Using BGP as an Auto- + Discovery Mechanism for Layer-3 and Layer-2 VPNs," + Work In Progress. + + [VPN-L2] Andersson, L. and E. Rosen, Eds., "Framework for Layer + 2 Virtual Private Networks (L2VPNs)", Work In + Progress. + + [VPN-VR] Knight, P., et al., "Network based IP VPN Architecture + Using Virtual Routers", Work In Progress, July 2002. + + [RFC1195] Callon, R., "Use of OSI IS-IS for Routing in TCP/IP + and Dual Environments", RFC 1195, December 1990. + + + + + + + + + +Callon & Suzuki Informational [Page 76] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + [RFC1771] Rekhter, Y. and T. Li, "A Border Gateway Protocol 4 + (BGP-4)", RFC 1771, March 1995. + + [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, + G., and E. Lear, "Address Allocation for Private + Internets", BCP 5, RFC 1918, February 1996. + + [RFC1966] Bates, T., "BGP Route Reflection: An alternative to + full mesh IBGP", RFC 1966, June 1996. + + [RFC1997] Chandra, R., Traina, P., and T. Li, "BGP Communities + Attribute", RFC 1997, February 2001. + + [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, + October 1996. + + [RFC2205] Braden, R., Zhang, L., Berson, S., Herzog, S., and S. + Jamin, "Resource ReSerVation Protocol (RSVP) -- + Version 1 Functional Specification", RFC 2205, + September 1997. + + [RFC2208] Mankin, A., Ed., Baker, F., Braden, B., Bradner, S., + O'Dell, M., Romanow, A., Weinrib, A., and L. Zhang, + "Resource ReSerVation Protocol (RSVP) Version 1 + Applicability Statement Some Guidelines on + Deployment", RFC 2208, September 1997. + + [RFC2210] Wroclawski, J., "The Use of RSVP with IETF Integrated + Services", RFC 2210, September 1997. + + [RFC2211] Wroclawski, J., "Specification of the Controlled-Load + Network Element Service", RFC 2211, September 1997. + + [RFC2212] Shenker, S., Partridge, C., and R. Guerin, + "Specification of Guaranteed Quality of Service", RFC + 2212, September 1997. + + [RFC2207] Berger, L. and T. O'Malley, "RSVP Extensions for IPSEC + Data Flows", RFC 2207, September 1997. + + [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April + 1998. + + [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for + the Internet Protocol", RFC 2401, November 1998. + + [RFC2402] Kent, S. and R. Atkinson, "IP Authentication Header", + RFC 2402, November 1998. + + + +Callon & Suzuki Informational [Page 77] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + [RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security + Payload (ESP)", RFC 2406, November 1998. + + [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange + (IKE)", RFC 2409, November 1998. + + [RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453, + November 1994. + + [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in + IPv6 Specification", RFC 2473, December 1998. + + [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, + "Definition of the Differentiated Services Field (DS + Field) in the IPv4 and IPv6 Headers", RFC 2474, + December 1998. + + [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, + Z., and W. Weiss, "An architecture for Differentiated + Services", RFC 2475, December 1998. + + [RFC2597] Heinanen, J., Baker, F., Weiss, W., and J. Wroclawski, + "Assured Forwarding PHB Group", RFC 2597, June 1999. + + [RFC2661] Townsley, W., Valencia, A., Rubens, A., Pall, G., + Zorn, G., and B. Palter, "Layer Two Tunneling Protocol + 'L2TP'", RFC 2661, August 1999. + + [RFC2684] Grossman, D. and J. Heinanen, "Multiprotocol + Encapsulation Over ATM Adaptation Layer 5", RFC 2684, + September 1999. + + [RFC2685] Fox B. and B. Gleeson, "Virtual Private Networks + Identifier," RFC 2685, September 1999. + + [RFC2746] Terzis, A., Krawczyk, J., Wroclawski, J., and L. + Zhang, "RSVP Operation Over IP Tunnels", RFC 2746, + January 2000. + + [RFC2764] Gleeson, B., Lin, A., Heinanen, J., Armitage, G., and + A. Malis, "A Framework for IP Based Virtual Private + Networks", RFC 2764, February 2000. + + [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. + Traina, "Generic Routing Encapsulation (GRE)", RFC + 2784, March 2000. + + + + + +Callon & Suzuki Informational [Page 78] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + [RFC2890] Dommety, G., "Key and Sequence Number Extensions to + GRE", RFC 2890, September 2000. + + [RFC2858] Bates, T., Rekhter, Y., Chandra, R., and D. Katz, + "Multiprotocol Extensions for BGP-4", RFC 2858, June + 2000. + + [RFC2983] Black, D., "Differentiated Services and Tunnels", RFC + 2983, October 2000. + + [RFC3031] Rosen, E., Viswanathan, A., and R. Callon, + "Multiprotocol Label Switching Architecture", RFC + 3031, January 2001. + + [RFC3032] Rosen E., Tappan, D., Fedorkow, G., Rekhter, Y., + Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack + Encoding", RFC 3032, January 2001. + + [RFC3035] Davie, B., Lawrence, J., McCloghrie, K., Rosen, E., + Swallow, G., Rekhter, Y., and P. Doolan, "MPLS using + LDP and ATM VC Switching", RFC 3035, January 2001. + + [RFC3065] Traina, P., McPherson, D., and J. Scudder, "Autonomous + System Confederations for BGP", RFC 3065, June 1996. + + [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, + V., and G. Swallow, "RSVP-TE: Extensions to RSVP for + LSP Tunnels", RFC 3209, December 2001. + + [RFC3246] Davie, B., Charny, A., Bennet, J.C.R., Benson, K., Le + Boudec, J.Y., Courtney, W., Davari, S., Firoiu, V., + and D. Stiliadis, "An Expedited Forwarding PHB (Per- + Hop Behavior)", RFC 3246, March 2002. + + [RFC3270] Le Faucheur, F., Wu, L., Davie, B., Davari, S., + Vaananen, P., Krishnan, R., Cheval, P., and J. + Heinanen, "Multi-Protocol Label Switching (MPLS) + Support of Differentiated Services", RFC 3270, May + 2002. + + [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory + Access Protocol (v3): Technical Specification", RFC + 3377, September 2002. + + + + + + + + +Callon & Suzuki Informational [Page 79] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +Contributors' Addresses + + Jeremy De Clercq + Alcatel + Fr. Wellesplein 1, + 2018 Antwerpen, Belgium + + EMail: jeremy.de_clercq@alcatel.be + + + Bryan Gleeson + Nokia + 313 Fairchild Drive, + Mountain View, CA 94043 USA. + + EMail: bryan.gleeson@nokia.com + + + Andrew G. Malis + Tellabs + 90 Rio Robles Drive + San Jose, CA 95134 USA + + EMail: andy.malis@tellabs.com + + + Karthik Muthukrishnan + Lucent Technologies + 1 Robbins Road + Westford, MA 01886, USA + + EMail: mkarthik@lucent.com + + + Eric C. Rosen + Cisco Systems, Inc. + 1414 Massachusetts Avenue + Boxborough, MA, 01719, USA + + EMail: erosen@cisco.com + + + Chandru Sargor + Redback Networks + 300 Holger Way + San Jose, CA 95134, USA + + EMail: apricot+l3vpn@redback.com + + + +Callon & Suzuki Informational [Page 80] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + + Jieyun Jessica Yu + University of California, Irvine + 5201 California Ave., Suite 150, + Irvine, CA, 92697 USA + + EMail: jyy@uci.edu + +Authors' Addresses + + Ross Callon + Juniper Networks + 10 Technology Park Drive + Westford, MA 01886-3146, USA + + EMail: rcallon@juniper.net + + + Muneyoshi Suzuki + NTT Information Sharing Platform Labs. + 3-9-11, Midori-cho, + Musashino-shi, Tokyo 180-8585, Japan + + EMail: suzuki.muneyoshi@lab.ntt.co.jp + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Callon & Suzuki Informational [Page 81] + +RFC 4110 A Framework for L3 PPVPNs July 2005 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2005). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at ietf- + ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet + gement + + + + + + +Callon & Suzuki Informational [Page 82] + |