summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc4761.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc4761.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc4761.txt')
-rw-r--r--doc/rfc/rfc4761.txt1571
1 files changed, 1571 insertions, 0 deletions
diff --git a/doc/rfc/rfc4761.txt b/doc/rfc/rfc4761.txt
new file mode 100644
index 0000000..14a835a
--- /dev/null
+++ b/doc/rfc/rfc4761.txt
@@ -0,0 +1,1571 @@
+
+
+
+
+
+
+Network Working Group K. Kompella, Ed.
+Request for Comments: 4761 Y. Rekhter, Ed.
+Category: Standards Track Juniper Networks
+ January 2007
+
+
+ Virtual Private LAN Service (VPLS)
+ Using BGP for Auto-Discovery and Signaling
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The IETF Trust (2007).
+
+IESG Note
+
+ The L2VPN Working Group produced two separate documents, RFC 4762 and
+ this document, that ultimately perform similar functions in different
+ manners. Be aware that each method is commonly referred to as "VPLS"
+ even though they are distinct and incompatible with one another.
+
+Abstract
+
+ Virtual Private LAN Service (VPLS), also known as Transparent LAN
+ Service and Virtual Private Switched Network service, is a useful
+ Service Provider offering. The service offers a Layer 2 Virtual
+ Private Network (VPN); however, in the case of VPLS, the customers in
+ the VPN are connected by a multipoint Ethernet LAN, in contrast to
+ the usual Layer 2 VPNs, which are point-to-point in nature.
+
+ This document describes the functions required to offer VPLS, a
+ mechanism for signaling a VPLS, and rules for forwarding VPLS frames
+ across a packet switched network.
+
+
+
+
+
+
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 1]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 1.1. Scope of This Document .....................................3
+ 1.2. Conventions Used in This Document ..........................4
+ 2. Functional Model ................................................4
+ 2.1. Terminology ................................................5
+ 2.2. Assumptions ................................................5
+ 2.3. Interactions ...............................................6
+ 3. Control Plane ...................................................6
+ 3.1. Auto-Discovery .............................................7
+ 3.1.1. Functions ...........................................7
+ 3.1.2. Protocol Specification ..............................7
+ 3.2. Signaling ..................................................8
+ 3.2.1. Label Blocks ........................................8
+ 3.2.2. VPLS BGP NLRI .......................................9
+ 3.2.3. PW Setup and Teardown ..............................10
+ 3.2.4. Signaling PE Capabilities ..........................10
+ 3.3. BGP VPLS Operation ........................................11
+ 3.4. Multi-AS VPLS .............................................13
+ 3.4.1. Method (a): VPLS-to-VPLS Connections at the ASBRs ..13
+ 3.4.2. Method (b): EBGP Redistribution of VPLS
+ Information between ASBRs ..........................14
+ 3.4.3. Method (c): Multi-Hop EBGP Redistribution
+ of VPLS Information ................................15
+ 3.4.4. Allocation of VE IDs across Multiple ASes ..........16
+ 3.5. Multi-homing and Path Selection ...........................16
+ 3.6. Hierarchical BGP VPLS .....................................17
+ 4. Data Plane .....................................................18
+ 4.1. Encapsulation .............................................18
+ 4.2. Forwarding ................................................18
+ 4.2.1. MAC Address Learning ...............................18
+ 4.2.2. Aging ..............................................19
+ 4.2.3. Flooding ...........................................19
+ 4.2.4. Broadcast and Multicast ............................20
+ 4.2.5. "Split Horizon" Forwarding .........................20
+ 4.2.6. Qualified and Unqualified Learning .................21
+ 4.2.7. Class of Service ...................................21
+ 5. Deployment Options .............................................21
+ 6. Security Considerations ........................................22
+ 7. IANA Considerations ............................................23
+ 8. References .....................................................24
+ 8.1. Normative References ......................................24
+ 8.2. Informative References ....................................24
+ Appendix A. Contributors .........................................26
+ Appendix B. Acknowledgements .....................................26
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 2]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+1. Introduction
+
+ Virtual Private LAN Service (VPLS), also known as Transparent LAN
+ Service and Virtual Private Switched Network service, is a useful
+ service offering. A Virtual Private LAN appears in (almost) all
+ respects as an Ethernet LAN to customers of a Service Provider.
+ However, in a VPLS, the customers are not all connected to a single
+ LAN; the customers may be spread across a metro or wide area. In
+ essence, a VPLS glues together several individual LANs across a
+ packet switched network to appear and function as a single LAN [9].
+ This is accomplished by incorporating MAC address learning, flooding,
+ and forwarding functions in the context of pseudowires that connect
+ these individual LANs across the packet switched network.
+
+ This document details the functions needed to offer VPLS, and then
+ goes on to describe a mechanism for the auto-discovery of the
+ endpoints of a VPLS as well as for signaling a VPLS. It also
+ describes how VPLS frames are transported over tunnels across a
+ packet switched network. The auto-discovery and signaling mechanism
+ uses BGP as the control plane protocol. This document also briefly
+ discusses deployment options, in particular, the notion of decoupling
+ functions across devices.
+
+ Alternative approaches include: [14], which allows one to build a
+ Layer 2 VPN with Ethernet as the interconnect; and [13], which allows
+ one to set up an Ethernet connection across a packet switched
+ network. Both of these, however, offer point-to-point Ethernet
+ services. What distinguishes VPLS from the above two is that a VPLS
+ offers a multipoint service. A mechanism for setting up pseudowires
+ for VPLS using the Label Distribution Protocol (LDP) is defined in
+ [10].
+
+1.1. Scope of This Document
+
+ This document has four major parts: defining a VPLS functional model;
+ defining a control plane for setting up VPLS; defining the data plane
+ for VPLS (encapsulation and forwarding of data); and defining various
+ deployment options.
+
+ The functional model underlying VPLS is laid out in Section 2. This
+ describes the service being offered, the network components that
+ interact to provide the service, and at a high level their
+ interactions.
+
+ The control plane described in this document uses Multiprotocol BGP
+ [4] to establish VPLS service, i.e., for the auto-discovery of VPLS
+ members and for the setup and teardown of the pseudowires that
+ constitute a given VPLS instance. Section 3 focuses on this, and
+
+
+
+Kompella & Rekhter Standards Track [Page 3]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ also describes how a VPLS that spans Autonomous System boundaries is
+ set up, as well as how multi-homing is handled. Using BGP as the
+ control plane for VPNs is not new (see [14], [6], and [11]): what is
+ described here is based on the mechanisms proposed in [6].
+
+ The forwarding plane and the actions that a participating Provider
+ Edge (PE) router offering the VPLS service must take is described in
+ Section 4.
+
+ In Section 5, the notion of 'decoupled' operation is defined, and the
+ interaction of decoupled and non-decoupled PEs is described.
+ Decoupling allows for more flexible deployment of VPLS.
+
+1.2. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [1].
+
+2. Functional Model
+
+ This will be described with reference to the following figure.
+
+ -----
+ / A1 \
+ ---- ____CE1 |
+ / \ -------- -------- / | |
+ | A2 CE2- / \ / PE1 \ /
+ \ / \ / \___/ | \ -----
+ ---- ---PE2 | \
+ | | \ -----
+ | Service Provider Network | \ / \
+ | | CE5 A5 |
+ | ___ | / \ /
+ |----| \ / \ PE4_/ -----
+ |u-PE|--PE3 / \ /
+ |----| -------- -------
+ ---- / | ----
+ / \/ \ / \ CE = Customer Edge Device
+ | A3 CE3 --CE4 A4 | PE = Provider Edge Router
+ \ / \ / u-PE = Layer 2 Aggregation
+ ---- ---- A<n> = Customer site n
+
+ Figure 1: Example of a VPLS
+
+
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 4]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+2.1. Terminology
+
+ Terminology similar to that in [6] is used: a Service Provider (SP)
+ network with P (Provider-only) and PE (Provider Edge) routers, and
+ customers with CE (Customer Edge) devices. Here, however, there is
+ an additional concept, that of a "u-PE", a Layer 2 PE device used for
+ Layer 2 aggregation. The notion of u-PE is described further in
+ Section 5. PE and u-PE devices are "VPLS-aware", which means that
+ they know that a VPLS service is being offered. The term "VE" refers
+ to a VPLS edge device, which could be either a PE or a u-PE.
+
+ In contrast, the CE device (which may be owned and operated by either
+ the SP or the customer) is VPLS-unaware; as far as the CE is
+ concerned, it is connected to the other CEs in the VPLS via a Layer 2
+ switched network. This means that there should be no changes to a CE
+ device, either to the hardware or the software, in order to offer
+ VPLS.
+
+ A CE device may be connected to a PE or a u-PE via Layer 2 switches
+ that are VPLS-unaware. From a VPLS point of view, such Layer 2
+ switches are invisible, and hence will not be discussed further.
+ Furthermore, a u-PE may be connected to a PE via Layer 2 and Layer 3
+ devices; this will be discussed further in a later section.
+
+ The term "demultiplexor" refers to an identifier in a data packet
+ that identifies the VPLS to which the packet belongs as well as the
+ ingress PE. In this document, the demultiplexor is an MPLS label.
+
+ The term "VPLS" will refer to the service as well as a particular
+ instantiation of the service (i.e., an emulated LAN); it should be
+ clear from the context which usage is intended.
+
+2.2. Assumptions
+
+ The Service Provider Network is a packet switched network. The PEs
+ are assumed to be (logically) fully meshed with tunnels over which
+ packets that belong to a service (such as VPLS) are encapsulated and
+ forwarded. These tunnels can be IP tunnels, such as Generic Routing
+ Encapsulation (GRE), or MPLS tunnels, established by Resource
+ Reservation Protocol - Traffic Engineering (RSVP-TE) or LDP. These
+ tunnels are established independently of the services offered over
+ them; the signaling and establishment of these tunnels are not
+ discussed in this document.
+
+ "Flooding" and MAC address "learning" (see Section 4) are an integral
+ part of VPLS. However, these activities are private to an SP device,
+ i.e., in the VPLS described below, no SP device requests another SP
+ device to flood packets or learn MAC addresses on its behalf.
+
+
+
+Kompella & Rekhter Standards Track [Page 5]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ All the PEs participating in a VPLS are assumed to be fully meshed in
+ the data plane, i.e., there is a bidirectional pseudowire between
+ every pair of PEs participating in that VPLS, and thus every
+ (ingress) PE can send a VPLS packet to the egress PE(s) directly,
+ without the need for an intermediate PE (see Section 4.2.5.) This
+ requires that VPLS PEs are logically fully meshed in the control
+ plane so that a PE can send a message to another PE to set up the
+ necessary pseudowires. See Section 3.6 for a discussion on
+ alternatives to achieve a logical full mesh in the control plane.
+
+2.3. Interactions
+
+ VPLS is a "LAN Service" in that CE devices that belong to a given
+ VPLS instance V can interact through the SP network as if they were
+ connected by a LAN. VPLS is "private" in that CE devices that belong
+ to different VPLSs cannot interact. VPLS is "virtual" in that
+ multiple VPLSs can be offered over a common packet switched network.
+
+ PE devices interact to "discover" all the other PEs participating in
+ the same VPLS, and to exchange demultiplexors. These interactions
+ are control-driven, not data-driven.
+
+ u-PEs interact with PEs to establish connections with remote PEs or
+ u-PEs in the same VPLS. This interaction is control-driven.
+
+ PE devices can participate simultaneously in both VPLS and IP VPNs
+ [6]. These are independent services, and the information exchanged
+ for each type of service is kept separate as the Network Layer
+ Reachability Information (NLRI) used for this exchange has different
+ Address Family Identifiers (AFIs) and Subsequent Address Family
+ Identifiers (SAFIs). Consequently, an implementation MUST maintain a
+ separate routing storage for each service. However, multiple
+ services can use the same underlying tunnels; the VPLS or VPN label
+ is used to demultiplex the packets belonging to different services.
+
+3. Control Plane
+
+ There are two primary functions of the VPLS control plane: auto-
+ discovery, and setup and teardown of the pseudowires that constitute
+ the VPLS, often called signaling. Section 3.1 and Section 3.2
+ describe these functions. Both of these functions are accomplished
+ with a single BGP Update advertisement; Section 3.3 describes how
+ this is done by detailing BGP protocol operation for VPLS.
+ Section 3.4 describes the setting up of pseudowires that span
+ Autonomous Systems. Section 3.5 describes how multi-homing is
+ handled.
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 6]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+3.1. Auto-Discovery
+
+ Discovery refers to the process of finding all the PEs that
+ participate in a given VPLS instance. A PE either can be configured
+ with the identities of all the other PEs in a given VPLS or can use
+ some protocol to discover the other PEs. The latter is called auto-
+ discovery.
+
+ The former approach is fairly configuration-intensive, especially
+ since it is required that the PEs participating in a given VPLS are
+ fully meshed (i.e., that every PE in a given VPLS establish
+ pseudowires to every other PE in that VPLS). Furthermore, when the
+ topology of a VPLS changes (i.e., a PE is added to, or removed from,
+ the VPLS), the VPLS configuration on all PEs in that VPLS must be
+ changed.
+
+ In the auto-discovery approach, each PE "discovers" which other PEs
+ are part of a given VPLS by means of some protocol, in this case BGP.
+ This allows each PE's configuration to consist only of the identity
+ of the VPLS instance established on this PE, not the identity of
+ every other PE in that VPLS instance -- that is auto-discovered.
+ Moreover, when the topology of a VPLS changes, only the affected PE's
+ configuration changes; other PEs automatically find out about the
+ change and adapt.
+
+3.1.1. Functions
+
+ A PE that participates in a given VPLS instance V must be able to
+ tell all other PEs in VPLS V that it is also a member of V. A PE
+ must also have a means of declaring that it no longer participates in
+ a VPLS. To do both of these, the PE must have a means of identifying
+ a VPLS and a means by which to communicate to all other PEs.
+
+ U-PE devices also need to know what constitutes a given VPLS;
+ however, they don't need the same level of detail. The PE (or PEs)
+ to which a u-PE is connected gives the u-PE an abstraction of the
+ VPLS; this is described in Section 5.
+
+3.1.2. Protocol Specification
+
+ The specific mechanism for auto-discovery described here is based on
+ [14] and [6]; it uses BGP extended communities [5] to identify
+ members of a VPLS, in particular, the Route Target community, whose
+ format is described in [5]. The semantics of the use of Route
+ Targets is described in [6]; their use in VPLS is identical.
+
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 7]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ As it has been assumed that VPLSs are fully meshed, a single Route
+ Target RT suffices for a given VPLS V, and in effect that RT is the
+ identifier for VPLS V.
+
+ A PE announces (typically via I-BGP) that it belongs to VPLS V by
+ annotating its NLRIs for V (see next subsection) with Route Target
+ RT, and acts on this by accepting NLRIs from other PEs that have
+ Route Target RT. A PE announces that it no longer participates in V
+ by withdrawing all NLRIs that it had advertised with Route Target RT.
+
+3.2. Signaling
+
+ Once discovery is done, each pair of PEs in a VPLS must be able to
+ establish (and tear down) pseudowires to each other, i.e., exchange
+ (and withdraw) demultiplexors. This process is known as signaling.
+ Signaling is also used to transmit certain characteristics of the
+ pseudowires that a PE sets up for a given VPLS.
+
+ Recall that a demultiplexor is used to distinguish among several
+ different streams of traffic carried over a tunnel, each stream
+ possibly representing a different service. In the case of VPLS, the
+ demultiplexor not only says to which specific VPLS a packet belongs,
+ but also identifies the ingress PE. The former information is used
+ for forwarding the packet; the latter information is used for
+ learning MAC addresses. The demultiplexor described here is an MPLS
+ label. However, note that the PE-to-PE tunnels need not be MPLS
+ tunnels.
+
+ Using a distinct BGP Update message to send a demultiplexor to each
+ remote PE would require the originating PE to send N such messages
+ for N remote PEs. The solution described in this document allows a
+ PE to send a single (common) Update message that contains
+ demultiplexors for all the remote PEs, instead of N individual
+ messages. Doing this reduces the control plane load both on the
+ originating PE as well as on the BGP Route Reflectors that may be
+ involved in distributing this Update to other PEs.
+
+3.2.1. Label Blocks
+
+ To accomplish this, we introduce the notion of "label blocks". A
+ label block, defined by a label base LB and a VE block size VBS, is a
+ contiguous set of labels {LB, LB+1, ..., LB+VBS-1}. Here's how label
+ blocks work. All PEs within a given VPLS are assigned unique VE IDs
+ as part of their configuration. A PE X wishing to send a VPLS update
+ sends the same label block information to all other PEs. Each
+ receiving PE infers the label intended for PE X by adding its
+ (unique) VE ID to the label base. In this manner, each receiving PE
+ gets a unique demultiplexor for PE X for that VPLS.
+
+
+
+Kompella & Rekhter Standards Track [Page 8]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ This simple notion is enhanced with the concept of a VE block offset
+ VBO. A label block defined by <LB, VBO, VBS> is the set {LB+VBO,
+ LB+VBO+1, ..., LB+VBO+VBS-1}. Thus, instead of a single large label
+ block to cover all VE IDs in a VPLS, one can have several label
+ blocks, each with a different label base. This makes label block
+ management easier, and also allows PE X to cater gracefully to a PE
+ joining a VPLS with a VE ID that is not covered by the set of label
+ blocks that PE X has already advertised.
+
+ When a PE starts up, or is configured with a new VPLS instance, the
+ BGP process may wish to wait to receive several advertisements for
+ that VPLS instance from other PEs to improve the efficiency of label
+ block allocation.
+
+3.2.2. VPLS BGP NLRI
+
+ The VPLS BGP NLRI described below, with a new AFI and SAFI (see [4])
+ is used to exchange VPLS membership and demultiplexors.
+
+ A VPLS BGP NLRI has the following information elements: a VE ID, a VE
+ Block Offset, a VE Block Size, and a label base. The format of the
+ VPLS NLRI is given below. The AFI is the L2VPN AFI (25), and the
+ SAFI is the VPLS SAFI (65). The Length field is in octets.
+
+ +------------------------------------+
+ | Length (2 octets) |
+ +------------------------------------+
+ | Route Distinguisher (8 octets) |
+ +------------------------------------+
+ | VE ID (2 octets) |
+ +------------------------------------+
+ | VE Block Offset (2 octets) |
+ +------------------------------------+
+ | VE Block Size (2 octets) |
+ +------------------------------------+
+ | Label Base (3 octets) |
+ +------------------------------------+
+
+ Figure 2: BGP NLRI for VPLS Information
+
+ A PE participating in a VPLS must have at least one VE ID. If the PE
+ is the VE, it typically has one VE ID. If the PE is connected to
+ several u-PEs, it has a distinct VE ID for each u-PE. It may
+ additionally have a VE ID for itself, if it itself acts as a VE for
+ that VPLS. In what follows, we will call the PE announcing the VPLS
+ NLRI PE-a, and we will assume that PE-a owns VE ID V (either
+ belonging to PE-a itself or to a u-PE connected to PE-a).
+
+
+
+
+Kompella & Rekhter Standards Track [Page 9]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ VE IDs are typically assigned by the network administrator. Their
+ scope is local to a VPLS. A given VE ID should belong to only one
+ PE, unless a CE is multi-homed (see Section 3.5).
+
+ A label block is a set of demultiplexor labels used to reach a given
+ VE ID. A VPLS BGP NLRI with VE ID V, VE Block Offset VBO, VE Block
+ Size VBS, and label base LB communicates to its peers the following:
+
+ label block for V: labels from LB to (LB + VBS - 1), and
+
+ remote VE set for V: from VBO to (VBO + VBS - 1).
+
+ There is a one-to-one correspondence between the remote VE set and
+ the label block: VE ID (VBO + n) corresponds to label (LB + n).
+
+3.2.3. PW Setup and Teardown
+
+ Suppose PE-a is part of VPLS foo and makes an announcement with VE ID
+ V, VE Block Offset VBO, VE Block Size VBS, and label base LB. If
+ PE-b is also part of VPLS foo and has VE ID W, PE-b does the
+ following:
+
+ 1. checks if W is part of PE-a's 'remote VE set': if VBO <= W < VBO
+ + VBS, then W is part of PE-a's remote VE set. If not, PE-b
+ ignores this message, and skips the rest of this procedure.
+
+ 2. sets up a PW to PE-a: the demultiplexor label to send traffic
+ from PE-b to PE-a is computed as (LB + W - VBO).
+
+ 3. checks if V is part of any 'remote VE set' that PE-b announced,
+ i.e., PE-b checks if V belongs to some remote VE set that PE-b
+ announced, say with VE Block Offset VBO', VE Block Size VBS', and
+ label base LB'. If not, PE-b MUST make a new announcement as
+ described in Section 3.3.
+
+ 4. sets up a PW from PE-a: the demultiplexor label over which PE-b
+ should expect traffic from PE-a is computed as: (LB' + V - VBO').
+
+ If Y withdraws an NLRI for V that X was using, then X MUST tear down
+ its ends of the pseudowire between X and Y.
+
+3.2.4. Signaling PE Capabilities
+
+ The following extended attribute, the "Layer2 Info Extended
+ Community", is used to signal control information about the
+ pseudowires to be setup for a given VPLS. The extended community
+ value is to be allocated by IANA (currently used value is 0x800A).
+ This information includes the Encaps Type (type of encapsulation on
+
+
+
+Kompella & Rekhter Standards Track [Page 10]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ the pseudowires), Control Flags (control information regarding the
+ pseudowires), and the Maximum Transmission Unit (MTU) to be used on
+ the pseudowires.
+
+ The Encaps Type for VPLS is 19.
+
+ +------------------------------------+
+ | Extended community type (2 octets) |
+ +------------------------------------+
+ | Encaps Type (1 octet) |
+ +------------------------------------+
+ | Control Flags (1 octet) |
+ +------------------------------------+
+ | Layer-2 MTU (2 octet) |
+ +------------------------------------+
+ | Reserved (2 octets) |
+ +------------------------------------+
+
+ Figure 3: Layer2 Info Extended Community
+
+
+ 0 1 2 3 4 5 6 7
+ +-+-+-+-+-+-+-+-+
+ | MBZ |C|S| (MBZ = MUST Be Zero)
+ +-+-+-+-+-+-+-+-+
+
+ Figure 4: Control Flags Bit Vector
+
+ With reference to Figure 4, the following bits in the Control Flags
+ are defined; the remaining bits, designated MBZ, MUST be set to zero
+ when sending and MUST be ignored when receiving this community.
+
+ Name Meaning
+
+ C A Control word [7] MUST or MUST NOT be present when
+ sending VPLS packets to this PE, depending on whether C
+ is 1 or 0, respectively
+
+ S Sequenced delivery of frames MUST or MUST NOT be used
+ when sending VPLS packets to this PE, depending on
+ whether S is 1 or 0, respectively
+
+3.3. BGP VPLS Operation
+
+ To create a new VPLS, say VPLS foo, a network administrator must pick
+ an RT for VPLS foo, say RT-foo. This will be used by all PEs that
+ serve VPLS foo. To configure a given PE, say PE-a, to be part of
+ VPLS foo, the network administrator only has to choose a VE ID V for
+
+
+
+Kompella & Rekhter Standards Track [Page 11]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ PE-a. (If PE-a is connected to u-PEs, PE-a may be configured with
+ more than one VE ID; in that case, the following is done for each VE
+ ID). The PE may also be configured with a Route Distinguisher (RD);
+ if not, it generates a unique RD for VPLS foo. Say the RD is
+ RD-foo-a. PE-a then generates an initial label block and a remote VE
+ set for V, defined by VE Block Offset VBO, VE Block Size VBS, and
+ label base LB. These may be empty.
+
+ PE-a then creates a VPLS BGP NLRI with RD RD-foo-a, VE ID V, VE Block
+ Offset VBO, VE Block Size VBS and label base LB. To this, it
+ attaches a Layer2 Info Extended Community and an RT, RT-foo. It sets
+ the BGP Next Hop for this NLRI as itself, and announces this NLRI to
+ its peers. The Network Layer protocol associated with the Network
+ Address of the Next Hop for the combination <AFI=L2VPN AFI, SAFI=VPLS
+ SAFI> is IP; this association is required by [4], Section 5. If the
+ value of the Length of the Next Hop field is 4, then the Next Hop
+ contains an IPv4 address. If this value is 16, then the Next Hop
+ contains an IPv6 address.
+
+ If PE-a hears from another PE, say PE-b, a VPLS BGP announcement with
+ RT-foo and VE ID W, then PE-a knows that PE-b is a member of the same
+ VPLS (auto-discovery). PE-a then has to set up its part of a VPLS
+ pseudowire between PE-a and PE-b, using the mechanisms in
+ Section 3.2. Similarly, PE-b will have discovered that PE-a is in
+ the same VPLS, and PE-b must set up its part of the VPLS pseudowire.
+ Thus, signaling and pseudowire setup is also achieved with the same
+ Update message.
+
+ If W is not in any remote VE set that PE-a announced for VE ID V in
+ VPLS foo, PE-b will not be able to set up its part of the pseudowire
+ to PE-a. To address this, PE-a can choose to withdraw the old
+ announcement(s) it made for VPLS foo, and announce a new Update with
+ a larger remote VE set and corresponding label block that covers all
+ VE IDs that are in VPLS foo. This, however, may cause some service
+ disruption. An alternative for PE-a is to create a new remote VE set
+ and corresponding label block, and announce them in a new Update,
+ without withdrawing previous announcements.
+
+ If PE-a's configuration is changed to remove VE ID V from VPLS foo,
+ then PE-a MUST withdraw all its announcements for VPLS foo that
+ contain VE ID V. If all of PE-a's links to its CEs in VPLS foo go
+ down, then PE-a SHOULD either withdraw all its NLRIs for VPLS foo or
+ let other PEs in the VPLS foo know in some way that PE-a is no longer
+ connected to its CEs.
+
+
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 12]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+3.4. Multi-AS VPLS
+
+ As in [14] and [6], the above auto-discovery and signaling functions
+ are typically announced via I-BGP. This assumes that all the sites
+ in a VPLS are connected to PEs in a single Autonomous System (AS).
+
+ However, sites in a VPLS may connect to PEs in different ASes. This
+ leads to two issues: 1) there would not be an I-BGP connection
+ between those PEs, so some means of signaling across ASes is needed;
+ and 2) there may not be PE-to-PE tunnels between the ASes.
+
+ A similar problem is solved in [6], Section 10. Three methods are
+ suggested to address issue (1); all these methods have analogs in
+ multi-AS VPLS.
+
+ Here is a diagram for reference:
+
+ __________ ____________ ____________ __________
+ / \ / \ / \ / \
+ \___/ AS 1 \ / AS 2 \___/
+ \ /
+ +-----+ +-------+ | +-------+ +-----+
+ | PE1 | ---...--- | ASBR1 | ======= | ASBR2 | ---...--- | PE2 |
+ +-----+ +-------+ | +-------+ +-----+
+ ___ / \ ___
+ / \ / \ / \
+ \__________/ \____________/ \____________/ \__________/
+
+ Figure 5: Inter-AS VPLS
+
+ As in the above reference, three methods for signaling inter-provider
+ VPLS are given; these are presented in order of increasing
+ scalability. Method (a) is the easiest to understand conceptually,
+ and the easiest to deploy; however, it requires an Ethernet
+ interconnect between the ASes, and both VPLS control and data plane
+ state on the AS border routers (ASBRs). Method (b) requires VPLS
+ control plane state on the ASBRs and MPLS on the AS-AS interconnect
+ (which need not be Ethernet). Method (c) requires MPLS on the AS-AS
+ interconnect, but no VPLS state of any kind on the ASBRs.
+
+3.4.1. Method (a): VPLS-to-VPLS Connections at the ASBRs
+
+ In this method, an AS Border Router (ASBR1) acts as a PE for all
+ VPLSs that span AS1 and an AS to which ASBR1 is connected, such as
+ AS2 here. The ASBR on the neighboring AS (ASBR2) is viewed by ASBR1
+ as a CE for the VPLSs that span AS1 and AS2; similarly, ASBR2 acts as
+ a PE for this VPLS from AS2's point of view, and views ASBR1 as a CE.
+
+
+
+
+Kompella & Rekhter Standards Track [Page 13]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ This method does not require MPLS on the ASBR1-ASBR2 link, but does
+ require that this link carry Ethernet traffic and that there be a
+ separate VLAN sub-interface for each VPLS traversing this link. It
+ further requires that ASBR1 does the PE operations (discovery,
+ signaling, MAC address learning, flooding, encapsulation, etc.) for
+ all VPLSs that traverse ASBR1. This imposes a significant burden on
+ ASBR1, both on the control plane and the data plane, which limits the
+ number of multi-AS VPLSs.
+
+ Note that in general, there will be multiple connections between a
+ pair of ASes, for redundancy. In this case, the Spanning Tree
+ Protocol (STP) [15], or some other means of loop detection and
+ prevention, must be run on each VPLS that spans these ASes, so that a
+ loop-free topology can be constructed in each VPLS. This imposes a
+ further burden on the ASBRs and PEs participating in those VPLSs, as
+ these devices would need to run a loop detection algorithm for each
+ such VPLS. How this may be achieved is outside the scope of this
+ document.
+
+3.4.2. Method (b): EBGP Redistribution of VPLS Information between
+ ASBRs
+
+ This method requires I-BGP peerings between the PEs in AS1 and ASBR1
+ in AS1 (perhaps via route reflectors), an E-BGP peering between ASBR1
+ and ASBR2 in AS2, and I-BGP peerings between ASBR2 and the PEs in
+ AS2. In the above example, PE1 sends a VPLS NLRI to ASBR1 with a
+ label block and itself as the BGP nexthop; ASBR1 sends the NLRI to
+ ASBR2 with new labels and itself as the BGP nexthop; and ASBR2 sends
+ the NLRI to PE2 with new labels and itself as the nexthop.
+ Correspondingly, there are three tunnels: T1 from PE1 to ASBR1, T2
+ from ASBR1 to ASBR2, and T3 from ASBR2 to PE2. Within each tunnel,
+ the VPLS label to be used is determined by the receiving device;
+ e.g., the VPLS label within T1 is a label from the label block that
+ ASBR1 sent to PE1. The ASBRs are responsible for receiving VPLS
+ packets encapsulated in a tunnel and performing the appropriate label
+ swap operations described next so that the next receiving device can
+ correctly identify and forward the packet.
+
+ The VPLS NLRI that ASBR1 sends to ASBR2 (and the NLRI that ASBR2
+ sends to PE2) is identical to the VPLS NLRI that PE1 sends to ASBR1,
+ except for the label block. To be precise, the Length, the Route
+ Distinguisher, the VE ID, the VE Block Offset, and the VE Block Size
+ MUST be the same; the Label Base may be different. Furthermore,
+ ASBR1 must also update its forwarding path as follows: if the Label
+ Base sent by PE1 is L1, the Label-block Size is N, the Label Base
+ sent by ASBR1 is L2, and the tunnel label from ASBR1 to PE1 is T,
+ then ASBR1 must install the following in the forwarding path:
+
+
+
+
+Kompella & Rekhter Standards Track [Page 14]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ swap L2 with L1 and push T,
+
+ swap L2+1 with L1+1 and push T, ...
+
+ swap L2+N-1 with L1+N-1 and push T.
+
+ ASBR2 must act similarly, except that it may not need a tunnel label
+ if it is directly connected with ASBR1.
+
+ When PE2 wants to send a VPLS packet to PE1, PE2 uses its VE ID to
+ get the right VPLS label from ASBR2's label block for PE1, and uses a
+ tunnel label to reach ASBR2. ASBR2 swaps the VPLS label with the
+ label from ASBR1; ASBR1 then swaps the VPLS label with the label from
+ PE1, and pushes a tunnel label to reach PE1.
+
+ In this method, one needs MPLS on the ASBR1-ASBR2 interface, but
+ there is no requirement that the link layer be Ethernet.
+ Furthermore, the ASBRs take part in distributing VPLS information.
+ However, the data plane requirements of the ASBRs are much simpler
+ than in method (a), being limited to label operations. Finally, the
+ construction of loop-free VPLS topologies is done by routing
+ decisions, viz. BGP path and nexthop selection, so there is no need
+ to run the Spanning Tree Protocol on a per-VPLS basis. Thus, this
+ method is considerably more scalable than method (a).
+
+3.4.3. Method (c): Multi-Hop EBGP Redistribution of VPLS Information
+ between ASes
+
+ In this method, there is a multi-hop E-BGP peering between the PEs
+ (or preferably, a Route Reflector) in AS1 and the PEs (or Route
+ Reflector) in AS2. PE1 sends a VPLS NLRI with labels and nexthop
+ self to PE2; if this is via route reflectors, the BGP nexthop is not
+ changed. This requires that there be a tunnel LSP from PE1 to PE2.
+ This tunnel LSP can be created exactly as in [6], Section 10 (c), for
+ example using E-BGP to exchange labeled IPv4 routes for the PE
+ loopbacks.
+
+ When PE1 wants to send a VPLS packet to PE2, it pushes the VPLS label
+ corresponding to its own VE ID onto the packet. It then pushes the
+ tunnel label(s) to reach PE2.
+
+ This method requires no VPLS information (in either the control or
+ the data plane) on the ASBRs. The ASBRs only need to set up PE-to-PE
+ tunnel LSPs in the control plane, and do label operations in the data
+ plane. Again, as in the case of method (b), the construction of
+ loop-free VPLS topologies is done by routing decisions, i.e., BGP
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 15]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ path and nexthop selection, so there is no need to run the Spanning
+ Tree Protocol on a per-VPLS basis. This option is likely to be the
+ most scalable of the three methods presented here.
+
+3.4.4. Allocation of VE IDs across Multiple ASes
+
+ In order to ease the allocation of VE IDs for a VPLS that spans
+ multiple ASes, one can allocate ranges for each AS. For example, AS1
+ uses VE IDs in the range 1 to 100, AS2 from 101 to 200, etc. If
+ there are 10 sites attached to AS1 and 20 to AS2, the allocated VE
+ IDs could be 1-10 and 101 to 120. This minimizes the number of VPLS
+ NLRIs that are exchanged while ensuring that VE IDs are kept unique.
+
+ In the above example, if AS1 needed more than 100 sites, then another
+ range can be allocated to AS1. The only caveat is that there be no
+ overlap between VE ID ranges among ASes. The exception to this rule
+ is multi-homing, which is dealt with below.
+
+3.5. Multi-homing and Path Selection
+
+ It is often desired to multi-home a VPLS site, i.e., to connect it to
+ multiple PEs, perhaps even in different ASes. In such a case, the
+ PEs connected to the same site can be configured either with the same
+ VE ID or with different VE IDs. In the latter case, it is mandatory
+ to run STP on the CE device, and possibly on the PEs, to construct a
+ loop-free VPLS topology. How this can be accomplished is outside the
+ scope of this document; however, the rest of this section will
+ describe in some detail the former case. Note that multi-homing by
+ the SP and STP on the CEs can co-exist; thus, it is recommended that
+ the VPLS customer run STP if the CEs are able to.
+
+ In the case where the PEs connected to the same site are assigned the
+ same VE ID, a loop-free topology is constructed by routing
+ mechanisms, in particular, by BGP path selection. When a BGP speaker
+ receives two equivalent NLRIs (see below for the definition), it
+ applies standard path selection criteria such as Local Preference and
+ AS Path Length to determine which NLRI to choose; it MUST pick only
+ one. If the chosen NLRI is subsequently withdrawn, the BGP speaker
+ applies path selection to the remaining equivalent VPLS NLRIs to pick
+ another; if none remain, the forwarding information associated with
+ that NLRI is removed.
+
+ Two VPLS NLRIs are considered equivalent from a path selection point
+ of view if the Route Distinguisher, the VE ID, and the VE Block
+ Offset are the same. If two PEs are assigned the same VE ID in a
+ given VPLS, they MUST use the same Route Distinguisher, and they
+ SHOULD announce the same VE Block Size for a given VE Offset.
+
+
+
+
+Kompella & Rekhter Standards Track [Page 16]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+3.6. Hierarchical BGP VPLS
+
+ This section discusses how one can scale the VPLS control plane when
+ using BGP. There are at least three aspects of scaling the control
+ plane:
+
+ 1. alleviating the full mesh connectivity requirement among VPLS BGP
+ speakers;
+
+ 2. limiting BGP VPLS message passing to just the interested speakers
+ rather than all BGP speakers; and
+
+ 3. simplifying the addition and deletion of BGP speakers, whether
+ for VPLS or other applications.
+
+ Fortunately, the use of BGP for Internet routing as well as for IP
+ VPNs has yielded several good solutions for all these problems. The
+ basic technique is hierarchy, using BGP Route Reflectors (RRs) [8].
+ The idea is to designate a small set of Route Reflectors that are
+ themselves fully meshed, and then establish a BGP session between
+ each BGP speaker and one or more RRs. In this way, there is no need
+ for direct full mesh connectivity among all the BGP speakers. If the
+ particular scaling needs of a provider require a large number of RRs,
+ then this technique can be applied recursively: the full mesh
+ connectivity among the RRs can be brokered by yet another level of
+ RRs. The use of RRs solves problems 1 and 3 above.
+
+ It is important to note that RRs, as used for VPLS and VPNs, are
+ purely a control plane technique. The use of RRs introduces no data
+ plane state and no data plane forwarding requirements on the RRs, and
+ does not in any way change the forwarding path of VPLS traffic. This
+ is in contrast to the technique of Hierarchical VPLS defined in [10].
+
+ Another consequence of this approach is that it is not required that
+ one set of RRs handles all BGP messages, or that a particular RR
+ handle all messages from a given PE. One can define several sets of
+ RRs, for example, a set to handle VPLS, another to handle IP VPNs,
+ and another for Internet routing. Another partitioning could be to
+ have some subset of VPLSs and IP VPNs handled by one set of RRs, and
+ another subset of VPLSs and IP VPNs handled by another set of RRs;
+ the use of Route Target Filtering (RTF), described in [12], can make
+ this simpler and more effective.
+
+ Finally, problem 2 (that of limiting BGP VPLS message passing to just
+ the interested BGP speakers) is addressed by the use of RTF. This
+ technique is orthogonal to the use of RRs, but works well in
+ conjunction with RRs. RTF is also very effective in inter-AS VPLS;
+ more details on how RTF works and its benefits are provided in [12].
+
+
+
+Kompella & Rekhter Standards Track [Page 17]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ It is worth mentioning an aspect of the control plane that is often a
+ source of confusion. No MAC addresses are exchanged via BGP. All
+ MAC address learning and aging is done in the data plane individually
+ by each PE. The only task of BGP VPLS message exchange is auto-
+ discovery and label exchange.
+
+ Thus, BGP processing for VPLS occurs when
+
+ 1. a PE joins or leaves a VPLS; or
+
+ 2. a failure occurs in the network, bringing down a PE-PE tunnel or
+ a PE-CE link.
+
+ These events are relatively rare, and typically, each such event
+ causes one BGP update to be generated. Coupled with BGP's messaging
+ efficiency when used for signaling VPLS, these observations lead to
+ the conclusion that BGP as a control plane for VPLS will scale quite
+ well in terms of both processing and memory requirements.
+
+4. Data Plane
+
+ This section discusses two aspects of the data plane for PEs and
+ u-PEs implementing VPLS: encapsulation and forwarding.
+
+4.1. Encapsulation
+
+ Ethernet frames received from CE devices are encapsulated for
+ transmission over the packet switched network connecting the PEs.
+ The encapsulation is as in [7].
+
+4.2. Forwarding
+
+ VPLS packets are classified as belonging to a given service instance
+ and associated forwarding table based on the interface over which the
+ packet is received. Packets are forwarded in the context of the
+ service instance based on the destination MAC address. The former
+ mapping is determined by configuration. The latter is the focus of
+ this section.
+
+4.2.1. MAC Address Learning
+
+ As was mentioned earlier, the key distinguishing feature of VPLS is
+ that it is a multipoint service. This means that the entire Service
+ Provider network should appear as a single logical learning bridge
+ for each VPLS that the SP network supports. The logical ports for
+ the SP "bridge" are the customer ports as well as the pseudowires on
+ a VE. Just as a learning bridge learns MAC addresses on its ports,
+ the SP bridge must learn MAC addresses at its VEs.
+
+
+
+Kompella & Rekhter Standards Track [Page 18]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ Learning consists of associating source MAC addresses of packets with
+ the (logical) ports on which they arrive; this association is the
+ Forwarding Information Base (FIB). The FIB is used for forwarding
+ packets. For example, suppose the bridge receives a packet with
+ source MAC address S on (logical) port P. If subsequently, the
+ bridge receives a packet with destination MAC address S, it knows
+ that it should send the packet out on port P.
+
+ If a VE learns a source MAC address S on logical port P, then later
+ sees S on a different port P', then the VE MUST update its FIB to
+ reflect the new port P'. A VE MAY implement a mechanism to damp
+ flapping of source ports for a given MAC address.
+
+4.2.2. Aging
+
+ VPLS PEs SHOULD have an aging mechanism to remove a MAC address
+ associated with a logical port, much the same as learning bridges do.
+ This is required so that a MAC address can be relearned if it "moves"
+ from a logical port to another logical port, either because the
+ station to which that MAC address belongs really has moved or because
+ of a topology change in the LAN that causes this MAC address to
+ arrive on a new port. In addition, aging reduces the size of a VPLS
+ MAC table to just the active MAC addresses, rather than all MAC
+ addresses in that VPLS.
+
+ The "age" of a source MAC address S on a logical port P is the time
+ since it was last seen as a source MAC on port P. If the age exceeds
+ the aging time T, S MUST be flushed from the FIB. This of course
+ means that every time S is seen as a source MAC address on port P,
+ S's age is reset.
+
+ An implementation SHOULD provide a configurable knob to set the aging
+ time T on a per-VPLS basis. In addition, an implementation MAY
+ accelerate aging of all MAC addresses in a VPLS if it detects certain
+ situations, such as a Spanning Tree topology change in that VPLS.
+
+4.2.3. Flooding
+
+ When a bridge receives a packet to a destination that is not in its
+ FIB, it floods the packet on all the other ports. Similarly, a VE
+ will flood packets to an unknown destination to all other VEs in the
+ VPLS.
+
+ In Figure 1 above, if CE2 sent an Ethernet frame to PE2, and the
+ destination MAC address on the frame was not in PE2's FIB (for that
+ VPLS), then PE2 would be responsible for flooding that frame to every
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 19]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ other PE in the same VPLS. On receiving that frame, PE1 would be
+ responsible for further flooding the frame to CE1 and CE5 (unless PE1
+ knew which CE "owned" that MAC address).
+
+ On the other hand, if PE3 received the frame, it could delegate
+ further flooding of the frame to its u-PE. If PE3 was connected to
+ two u-PEs, it would announce that it has two u-PEs. PE3 could either
+ announce that it is incapable of flooding, in which case it would
+ receive two frames, one for each u-PE, or it could announce that it
+ is capable of flooding, in which case it would receive one copy of
+ the frame, which it would then send to both u-PEs.
+
+4.2.4. Broadcast and Multicast
+
+ There is a well-known broadcast MAC address. An Ethernet frame whose
+ destination MAC address is the broadcast MAC address must be sent to
+ all stations in that VPLS. This can be accomplished by the same
+ means that is used for flooding.
+
+ There is also an easily recognized set of "multicast" MAC addresses.
+ Ethernet frames with a destination multicast MAC address MAY be
+ broadcast to all stations; a VE MAY also use certain techniques to
+ restrict transmission of multicast frames to a smaller set of
+ receivers, those that have indicated interest in the corresponding
+ multicast group. Discussion of this is outside the scope of this
+ document.
+
+4.2.5. "Split Horizon" Forwarding
+
+ When a PE capable of flooding (say PEx) receives a broadcast Ethernet
+ frame, or one with an unknown destination MAC address, it must flood
+ the frame. If the frame arrived from an attached CE, PEx must send a
+ copy of the frame to every other attached CE, as well as to all other
+ PEs participating in the VPLS. If, on the other hand, the frame
+ arrived from another PE (say PEy), PEx must send a copy of the packet
+ only to attached CEs. PEx MUST NOT send the frame to other PEs,
+ since PEy would have already done so. This notion has been termed
+ "split horizon" forwarding and is a consequence of the PEs being
+ logically fully meshed for VPLS.
+
+ Split horizon forwarding rules apply to broadcast and multicast
+ packets, as well as packets to an unknown MAC address.
+
+
+
+
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 20]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+4.2.6. Qualified and Unqualified Learning
+
+ The key for normal Ethernet MAC learning is usually just the
+ (6-octet) MAC address. This is called "unqualified learning".
+ However, it is also possible that the key for learning includes the
+ VLAN tag when present; this is called "qualified learning".
+
+ In the case of VPLS, learning is done in the context of a VPLS
+ instance, which typically corresponds to a customer. If the customer
+ uses VLAN tags, one can make the same distinctions of qualified and
+ unqualified learning. If the key for learning within a VPLS is just
+ the MAC address, then this VPLS is operating under unqualified
+ learning. If the key for learning is (customer VLAN tag + MAC
+ address), then this VPLS is operating under qualified learning.
+
+ Choosing between qualified and unqualified learning involves several
+ factors, the most important of which is whether one wants a single
+ global broadcast domain (unqualified) or a broadcast domain per VLAN
+ (qualified). The latter makes flooding and broadcasting more
+ efficient, but requires larger MAC tables. These considerations
+ apply equally to normal Ethernet forwarding and to VPLS.
+
+4.2.7. Class of Service
+
+ In order to offer different Classes of Service within a VPLS, an
+ implementation MAY choose to map 802.1p bits in a customer Ethernet
+ frame with a VLAN tag to an appropriate setting of EXP bits in the
+ pseudowire and/or tunnel label, allowing for differential treatment
+ of VPLS frames in the packet switched network.
+
+ To be useful, an implementation SHOULD allow this mapping function to
+ be different for each VPLS, as each VPLS customer may have its own
+ view of the required behavior for a given setting of 802.1p bits.
+
+5. Deployment Options
+
+ In deploying a network that supports VPLS, the SP must decide what
+ functions the VPLS-aware device closest to the customer (the VE)
+ supports. The default case described in this document is that the VE
+ is a PE. However, there are a number of reasons that the VE might be
+ a device that does all the Layer 2 functions (such as MAC address
+ learning and flooding), and a limited set of Layer 3 functions (such
+ as communicating to its PE), but, for example, doesn't do full-
+ fledged discovery and PE-to-PE signaling. Such a device is called a
+ "u-PE".
+
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 21]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ As both of these cases have benefits, one would like to be able to
+ "mix and match" these scenarios. The signaling mechanism presented
+ here allows this. For example, in a given provider network, one PE
+ may be directly connected to CE devices, another may be connected to
+ u-PEs that are connected to CEs, and a third may be connected
+ directly to a customer over some interfaces and to u-PEs over others.
+ All these PEs perform discovery and signaling in the same manner.
+ How they do learning and forwarding depends on whether or not there
+ is a u-PE; however, this is a local matter, and is not signaled.
+ However, the details of the operation of a u-PE and its interactions
+ with PEs and other u-PEs are beyond the scope of this document.
+
+6. Security Considerations
+
+ The focus in Virtual Private LAN Service is the privacy of data,
+ i.e., that data in a VPLS is only distributed to other nodes in that
+ VPLS and not to any external agent or other VPLS. Note that VPLS
+ does not offer confidentiality, integrity, or authentication: VPLS
+ packets are sent in the clear in the packet switched network, and a
+ man-in-the-middle can eavesdrop, and may be able to inject packets
+ into the data stream. If security is desired, the PE-to-PE tunnels
+ can be IPsec tunnels. For more security, the end systems in the VPLS
+ sites can use appropriate means of encryption to secure their data
+ even before it enters the Service Provider network.
+
+ There are two aspects to achieving data privacy in a VPLS: securing
+ the control plane and protecting the forwarding path. Compromise of
+ the control plane could result in a PE sending data belonging to some
+ VPLS to another VPLS, or blackholing VPLS data, or even sending it to
+ an eavesdropper; none of which are acceptable from a data privacy
+ point of view. Since all control plane exchanges are via BGP,
+ techniques such as in [2] help authenticate BGP messages, making it
+ harder to spoof updates (which can be used to divert VPLS traffic to
+ the wrong VPLS) or withdraws (denial-of-service attacks). In the
+ multi-AS methods (b) and (c) described in Section 3, this also means
+ protecting the inter-AS BGP sessions, between the ASBRs, the PEs, or
+ the Route Reflectors. One can also use the techniques described in
+ Section 10 (b) and (c) of [6], both for the control plane and the
+ data plane. Note that [2] will not help in keeping VPLS labels
+ private -- knowing the labels, one can eavesdrop on VPLS traffic.
+ However, this requires access to the data path within a Service
+ Provider network.
+
+ There can also be misconfiguration leading to unintentional
+ connection of CEs in different VPLSs. This can be caused, for
+ example, by associating the wrong Route Target with a VPLS instance.
+ This problem, shared by [6], is for further study.
+
+
+
+
+Kompella & Rekhter Standards Track [Page 22]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ Protecting the data plane requires ensuring that PE-to-PE tunnels are
+ well-behaved (this is outside the scope of this document), and that
+ VPLS labels are accepted only from valid interfaces. For a PE, valid
+ interfaces comprise links from P routers. For an ASBR, a valid
+ interface is a link from an ASBR in an AS that is part of a given
+ VPLS. It is especially important in the case of multi-AS VPLSs that
+ one accept VPLS packets only from valid interfaces.
+
+ MPLS-in-IP and MPLS-in-GRE tunneling are specified in [3]. If it is
+ desired to use such tunnels to carry VPLS packets, then the security
+ considerations described in Section 8 of that document must be fully
+ understood. Any implementation of VPLS that allows VPLS packets to
+ be tunneled as described in that document MUST contain an
+ implementation of IPsec that can be used as therein described. If
+ the tunnel is not secured by IPsec, then the technique of IP address
+ filtering at the border routers, described in Section 8.2 of that
+ document, is the only means of ensuring that a packet that exits the
+ tunnel at a particular egress PE was actually placed in the tunnel by
+ the proper tunnel head node (i.e., that the packet does not have a
+ spoofed source address). Since border routers frequently filter only
+ source addresses, packet filtering may not be effective unless the
+ egress PE can check the IP source address of any tunneled packet it
+ receives, and compare it to a list of IP addresses that are valid
+ tunnel head addresses. Any implementation that allows MPLS-in-IP
+ and/or MPLS-in-GRE tunneling to be used without IPsec MUST allow the
+ egress PE to validate in this manner the IP source address of any
+ tunneled packet that it receives.
+
+7. IANA Considerations
+
+ IANA allocated value (25) for AFI for L2VPN information. This should
+ be the same as the AFI requested by [11].
+
+ IANA allocated an extended community value (0x800a) for the Layer2
+ Info Extended Community.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 23]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+8. References
+
+8.1. Normative References
+
+ [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [2] Heffernan, A., "Protection of BGP Sessions via the TCP MD5
+ Signature Option", RFC 2385, August 1998.
+
+ [3] Worster, T., Rekhter, Y., and E. Rosen, "Encapsulating MPLS in
+ IP or Generic Routing Encapsulation (GRE)", RFC 4023,
+ March 2005.
+
+ [4] Bates, T., Katz, D., and Y. Rekhter, "Multiprotocol Extensions
+ for BGP-4", RFC 4760, January 2007.
+
+ [5] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended
+ Communities Attribute", RFC 4360, February 2006.
+
+ [6] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private Networks
+ (VPNs)", RFC 4364, February 2006.
+
+ [7] Martini, L., Rosen, E., El-Aawar, N., and G. Heron,
+ "Encapsulation Methods for Transport of Ethernet over MPLS
+ Networks", RFC 4448, April 2006.
+
+8.2. Informative References
+
+ [8] Bates, T., Chen, E., and R. Chandra, "BGP Route Reflection: An
+ Alternative to Full Mesh Internal BGP (IBGP)", RFC 4456,
+ April 2006.
+
+ [9] Andersson, L. and E. Rosen, "Framework for Layer 2 Virtual
+ Private Networks (L2VPNs)", RFC 4664, September 2006.
+
+ [10] Lasserre, M., Ed. and V. Kompella, Ed., "Virtual Private LAN
+ Service (VPLS) Using Label Distribution Protocol (LDP)
+ Signaling", RFC 4762, January 2007.
+
+ [11] Ould-Brahim, H., "Using BGP as an Auto-Discovery Mechanism for
+ VR-based Layer-3 VPNs", Work in Progress, April 2006.
+
+ [12] Marques, P., "Constrained VPN Route Distribution", Work in
+ Progress, June 2005.
+
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 24]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+ [13] Martini, L., Rosen, E., El-Aawar, N., Smith, T., and G. Heron,
+ "Pseudowire Setup and Maintenance Using the Label Distribution
+ Protocol (LDP)", RFC 4447, April 2006.
+
+ [14] Kompella, K., "Layer 2 VPNs Over Tunnels", Work in Progress,
+ January 2006.
+
+ [15] Institute of Electrical and Electronics Engineers, "Information
+ technology - Telecommunications and information exchange
+ between systems - Local and metropolitan area networks - Common
+ specifications - Part 3: Media Access Control (MAC) Bridges:
+ Revision. This is a revision of ISO/IEC 10038: 1993, 802.1j-
+ 1992 and 802.6k-1992. It incorporates P802.11c, P802.1p and
+ P802.12e. ISO/IEC 15802-3: 1998.", IEEE Standard 802.1D,
+ July 1998.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 25]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+Appendix A. Contributors
+
+ The following contributed to this document:
+
+ Javier Achirica, Telefonica
+ Loa Andersson, Acreo
+ Giles Heron, Tellabs
+ Sunil Khandekar, Alcatel-Lucent
+ Chaitanya Kodeboyina, Nuova Systems
+ Vach Kompella, Alcatel-Lucent
+ Marc Lasserre, Alcatel-Lucent
+ Pierre Lin
+ Pascal Menezes
+ Ashwin Moranganti, Appian
+ Hamid Ould-Brahim, Nortel
+ Seo Yeong-il, Korea Tel
+
+Appendix B. Acknowledgements
+
+ Thanks to Joe Regan and Alfred Nothaft for their contributions. Many
+ thanks too to Eric Ji, Chaitanya Kodeboyina, Mike Loomis, and Elwyn
+ Davies for their detailed reviews.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 26]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+Editors' Addresses
+
+ Kireeti Kompella
+ Juniper Networks
+ 1194 N. Mathilda Ave.
+ Sunnyvale, CA 94089
+ US
+
+ EMail: kireeti@juniper.net
+
+
+ Yakov Rekhter
+ Juniper Networks
+ 1194 N. Mathilda Ave.
+ Sunnyvale, CA 94089
+ US
+
+ EMail: yakov@juniper.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 27]
+
+RFC 4761 BGP Auto-Discovery and Signaling for VPLS January 2007
+
+
+Full Copyright Statement
+
+ Copyright (C) The IETF Trust (2007).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+Kompella & Rekhter Standards Track [Page 28]
+