summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc6624.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc6624.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc6624.txt')
-rw-r--r--doc/rfc/rfc6624.txt1459
1 files changed, 1459 insertions, 0 deletions
diff --git a/doc/rfc/rfc6624.txt b/doc/rfc/rfc6624.txt
new file mode 100644
index 0000000..f0b3fdb
--- /dev/null
+++ b/doc/rfc/rfc6624.txt
@@ -0,0 +1,1459 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) K. Kompella
+Request for Comments: 6624 Juniper Networks
+Category: Informational B. Kothari
+ISSN: 2070-1721 Cisco Systems
+ R. Cherukuri
+ Juniper Networks
+ May 2012
+
+
+ Layer 2 Virtual Private Networks Using BGP for
+ Auto-Discovery and Signaling
+
+Abstract
+
+ Layer 2 Virtual Private Networks (L2VPNs) based on Frame Relay or ATM
+ circuits have been around a long time; more recently, Ethernet VPNs,
+ including Virtual Private LAN Service, have become popular.
+ Traditional L2VPNs often required a separate Service Provider
+ infrastructure for each type and yet another for the Internet and IP
+ VPNs. In addition, L2VPN provisioning was cumbersome. This document
+ presents a new approach to the problem of offering L2VPN services
+ where the L2VPN customer's experience is virtually identical to that
+ offered by traditional L2VPNs, but such that a Service Provider can
+ maintain a single network for L2VPNs, IP VPNs, and the Internet, as
+ well as a common provisioning methodology for all services.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc6624.
+
+
+
+
+
+
+
+
+
+
+Kompella, et al. Informational [Page 1]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+Copyright Notice
+
+ Copyright (c) 2012 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kompella, et al. Informational [Page 2]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 1.1. Terminology ................................................6
+ 1.1.1. Conventions Used in This Document ...................6
+ 1.2. Advantages of Layer 2 VPNs .................................6
+ 1.2.1. Separation of Administrative Responsibilities .......7
+ 1.2.2. Migrating from Traditional Layer 2 VPNs .............7
+ 1.2.3. Privacy of Routing ..................................7
+ 1.2.4. Layer 3 Independence ................................7
+ 1.2.5. PE Scaling ..........................................8
+ 1.2.6. Ease of Configuration ...............................8
+ 1.3. Advantages of Layer 3 VPNs .................................9
+ 1.3.1. Layer 2 Independence ................................9
+ 1.3.2. SP Routing as Added Value ..........................10
+ 1.3.3. Class of Service ...................................10
+ 1.4. Multicast Routing .........................................10
+ 2. Operation of a Layer 2 VPN .....................................11
+ 2.1. Network Topology ..........................................11
+ 2.2. Configuration .............................................13
+ 2.2.1. CE Configuration ...................................14
+ 2.2.2. PE Configuration ...................................15
+ 2.2.3. Adding a New Site ..................................15
+ 2.2.4. Deleting a Site ....................................16
+ 2.2.5. Managing CE ID Mappings ............................16
+ 2.2.6. Managing Label Blocks ..............................16
+ 2.3. Operations, Administration, and Maintenance (OAM) .........17
+ 3. PE Information Exchange ........................................17
+ 3.1. Circuit Status Vector .....................................19
+ 3.2. Generalizing the VPN Topology .............................20
+ 4. Layer 2 Interworking ...........................................21
+ 5. Packet Transport ...............................................22
+ 5.1. Layer 2 MTU ...............................................22
+ 5.2. Layer 2 Frame Format ......................................22
+ 5.3. IP-Only Layer 2 Interworking ..............................23
+ 6. Security Considerations ........................................23
+ 7. IANA Considerations ............................................23
+ 8. Acknowledgments ................................................24
+ 9. Contributors ...................................................24
+ 10. References ....................................................24
+ 10.1. Normative References .....................................24
+ 10.2. Informative References ...................................25
+
+
+
+
+
+
+
+
+
+Kompella, et al. Informational [Page 3]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+1. Introduction
+
+ The earliest Virtual Private Networks (VPNs) were based on Layer 2
+ circuits: X.25, Frame Relay, and ATM (see [Kosiur]). More recently,
+ multipoint VPNs based on Ethernet Virtual Local Area Networks (VLANs)
+ and Virtual Private LAN Service (VPLS) [RFC4761][RFC4762] have become
+ quite popular. In contrast, the VPNs described in this document are
+ point-to-point, and usually called Virtual Private Wire Service
+ (VPWS). All of these come under the classification of Layer 2 VPNs
+ (L2VPNs), as the customer-to-Service-Provider hand-off is at Layer 2.
+
+ There are at least two factors that adversely affected the cost of
+ offering L2VPNs. The first is that the easiest way to offer an L2VPN
+ of a given type of Layer 2 was over an infrastructure of the same
+ type. This approach required that the Service Provider build a
+ separate infrastructure for each Layer 2 encapsulation, e.g., an ATM
+ infrastructure for ATM VPNs, an Ethernet infrastructure for Ethernet
+ VPNs, etc. In addition, a separate infrastructure was needed for the
+ Internet and IP VPNs [RFC4364], and possibly yet another for voice
+ services. Going down this path meant a proliferation of networks.
+
+ The other is that each of these networks had different provisioning
+ methodologies. Furthermore, the provisioning of an L2VPN was fairly
+ complex. It is important to distinguish between a single Layer 2
+ circuit, which connects two customer sites, and a Layer 2 VPN, which
+ is a set of circuits that connect sites belonging to the same
+ customer. The fact that two different circuits belonged to the same
+ VPN was typically known only to the provisioning system, not to the
+ switches offering the service; this complicated the setting up, and
+ subsequently, the troubleshooting, of an L2VPN. Also, each switch
+ offering the service had to be provisioned with the address of every
+ other switch in the same VPN, requiring, in the case of full-mesh VPN
+ connectivity, provisioning proportional to the square of the number
+ of sites. This made full-mesh L2VPN connectivity prohibitively
+ expensive for the Service Provider (SP) and thus also for customers.
+ Finally, even setting up an individual circuit often required the
+ provisioning of every switch along the path.
+
+ Of late, there has been much progress in network "convergence",
+ whereby Layer 2 traffic, Internet traffic, and IP VPN traffic can be
+ carried over a single, consolidated network infrastructure based on
+ IP/MPLS tunnels; this is made possible by techniques such as those
+ described in [RFC4448], [RFC4618], [RFC4619], and [RFC4717] for Layer
+ 2 traffic and in [RFC4364] for IP VPN traffic. This development goes
+ a long way toward addressing the problem of network proliferation.
+ This document goes one step further and shows how a Service Provider
+ can offer Layer 2 VPNs using protocol and provisioning methodologies
+ similar to that used for VPLS [RFC4761] and IP VPNs [RFC4364],
+
+
+
+Kompella, et al. Informational [Page 4]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ thereby achieving a significant degree of operational convergence as
+ well. In particular, all of these methodologies include the notion
+ of a VPN identifier that serves to unify components of a given VPN
+ and the concept of auto-discovery, which simplifies the provisioning
+ of dense VPN topologies (for example, a full mesh). In addition,
+ similar techniques are used in all of the above-mentioned VPN
+ technologies to offer inter-AS and inter-provider VPNs (i.e., VPNs
+ whose sites are connected to multiple Autonomous Systems (ASes) or
+ Service Providers).
+
+ Technically, the approach proposed here uses the concepts and
+ solution described in [RFC4761], which describes a method for VPLS, a
+ particular form of a Layer 2 VPN. That document, in turn, borrowed
+ much from [RFC4364], including the use of BGP for auto-discovery and
+ "demultiplexor" (see below) exchange and the concepts of Route
+ Distinguishers to make VPN advertisements unique and Route Targets to
+ control VPN topology. In addition, all three documents share the
+ idea that routers not directly connected to VPN customers should
+ carry no VPN state, restricting the provisioning of individual
+ connections to just the edge devices. This is achieved using tunnels
+ to carry the data, with a demultiplexor that identifies individual
+ VPN circuits. These tunnels could be based on MPLS, GRE, or any
+ other tunnel technology that offers a demultiplexing field; the
+ signaling of these tunnels is outside the scope of this document.
+ The specific approach taken here is to use an MPLS label as the
+ demultiplexor.
+
+ Layer 2 VPNs typically require that all sites in the VPN connect to
+ the SP with the same Layer 2 encapsulation. To ease this
+ restriction, this document proposes a limited form of Layer 2
+ interworking, by restricting the Layer 3 protocol to IP only (see
+ Section 4).
+
+ It may be instructive to compare the approach described in [RFC4447]
+ and [RFC6074] (these are the IETF-approved technologies for the
+ functions described in this document, albeit using two separate
+ protocols) with the one described here. To comply with IETF
+ standards, it is recommended that devices implementing the solution
+ described in this document also implement the approach in [RFC4447]
+ and [RFC6074].
+
+ The rest of this section discusses the relative merits of Layer 2 and
+ Layer 3 VPNs. Section 2 describes the operation of a Layer 2 VPN.
+ Section 3 describes PE information exchange. Section 4 describes IP-
+ only Layer 2 interworking. Section 5 describes how the L2 packets
+ are transported across the SP network.
+
+
+
+
+
+Kompella, et al. Informational [Page 5]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+1.1. Terminology
+
+ The terminology used is from [RFC4761] and [RFC4364]; it is briefly
+ repeated here. A "customer" is a customer of a Service Provider
+ seeking to interconnect their various "sites" (each an independent
+ network) at Layer 2 through the Service Provider's network, while
+ maintaining privacy of communication and address space. The device
+ in a customer site that connects to a Service Provider router is
+ termed the CE (customer edge) device; this device may be a router or
+ a switch. The Service Provider router to which a CE connects is
+ termed a PE (provider edge). A router in the Service Provider's
+ network that doesn't connect directly to any CE is termed P
+ ("provider" device). Every pair of PEs is connected by a "tunnel";
+ within a tunnel, VPN data is distinguished by a "demultiplexor",
+ which in this document is an MPLS label.
+
+ Each CE within a VPN is assigned a CE ID, a number that uniquely
+ identifies a CE within an L2VPN. More accurately, the CE ID
+ identifies a physical connection from the CE device to the PE, since
+ a CE may be connected to multiple PEs (or multiply connected to a
+ PE); in such a case, the CE would have a CE ID for each connection.
+ A CE may also be part of many L2VPNs; it would need one (or more) CE
+ ID(s) for each L2VPN of which it is a member. The number space for
+ CE IDs is scoped to a given VPN.
+
+ In the case of inter-provider L2VPNs, there needs to be some
+ coordination of allocation of CE IDs. One solution is to allocate
+ ranges for each SP. Other solutions may be forthcoming.
+
+ Within each physical connection from a CE to a PE, there may be
+ multiple virtual circuits. These will be referred to as Attachment
+ Circuits (ACs), following [RFC3985]. Similarly, the entity that
+ connects two attachment circuits across the Service Provider network
+ is called a pseudowire (PW).
+
+1.1.1. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+1.2. Advantages of Layer 2 VPNs
+
+ A Layer 2 VPN is one where a Service Provider provides Layer 2
+ connectivity to the customer. The Service Provider does not
+ participate in the customer's Layer 3 network, especially in the
+ routing, resulting in several advantages to the SP as a whole and to
+ PE routers in particular.
+
+
+
+Kompella, et al. Informational [Page 6]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+1.2.1. Separation of Administrative Responsibilities
+
+ In a Layer 2 VPN, the Service Provider is responsible for Layer 2
+ connectivity; the customer is responsible for Layer 3 connectivity,
+ which includes routing. If the customer says that host x in site A
+ cannot reach host y in site B, the Service Provider need only
+ demonstrate that site A is connected to site B. The details of how
+ routes for host y reach host x are the customer's responsibility.
+
+ Another important factor is that once a PE provides Layer 2
+ connectivity to its connected CE, its job is done. A misbehaving CE
+ can at worst flap its interface, but route flaps in the customer
+ network have little effect on the SP network. On the other hand, a
+ misbehaving CE in a Layer 3 VPN can flap its routes, leading to
+ instability of the PE router or even the entire SP network. Thus,
+ when offering a Layer 3 VPN, an SP should proactively protect itself
+ from Layer 3 instability in the CE network.
+
+1.2.2. Migrating from Traditional Layer 2 VPNs
+
+ Since "traditional" Layer 2 VPNs (i.e., real Frame Relay circuits
+ connecting sites) are indistinguishable from tunnel-based VPNs from
+ the customer's point of view, migrating from one to the other raises
+ few issues. Layer 3 VPNs, on the other hand, require a considerable
+ redesign of the customer's Layer 3 routing architecture.
+ Furthermore, with Layer 3 VPNs, special care has to be taken that
+ routes within the traditional VPN are not preferred over the Layer 3
+ VPN routes (the so-called "backdoor routing" problem, whose solution
+ requires protocol changes that are somewhat ad hoc).
+
+1.2.3. Privacy of Routing
+
+ In an L2VPN, the privacy of customer routing is a natural fallout of
+ the fact that the Service Provider does not participate in routing.
+ The SP routers need not do anything special to keep customer routes
+ separate from other customers or from the Internet; there is no need
+ for per-VPN routing tables and the additional complexity this imposes
+ on PE routers.
+
+1.2.4. Layer 3 Independence
+
+ Since the Service Provider simply provides Layer 2 connectivity, the
+ customer can run any Layer 3 protocols they choose. If the SP were
+ participating in customer routing, it would be vital that the
+ customer and SP both use the same Layer 3 protocol(s) and routing
+ protocols.
+
+
+
+
+
+Kompella, et al. Informational [Page 7]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ Note that IP-only Layer 2 interworking doesn't have this benefit as
+ it restricts the Layer 3 to IP only.
+
+1.2.5. PE Scaling
+
+ In the Layer 2 VPN scheme described below, each PE transmits a single
+ small chunk of information about every CE that the PE is connected to
+ every other PE. That means that each PE need only maintain a single
+ chunk of information from each CE in each VPN and keep a single
+ "route" to every site in every VPN. This means that both the
+ Forwarding Information Base and the Routing Information Base scale
+ well with the number of sites and number of VPNs. Furthermore, the
+ scaling properties are independent of the customer: the only germane
+ quantity is the total number of VPN sites.
+
+ This is to be contrasted with Layer 3 VPNs, where each CE in a VPN
+ may have an arbitrary number of routes that need to be carried by the
+ SP. This leads to two issues. First, both the information stored at
+ each PE and the number of routes installed by the PE for a CE in a
+ VPN can be (in principle) unbounded, which means in practice that a
+ PE must restrict itself to installing routes associated with the VPNs
+ of which it is currently a member. Second, a CE can send a large
+ number of routes to its PE, which means that the PE must protect
+ itself against such a condition. Thus, the SP must enforce limits on
+ the number of routes accepted from a CE; this, in turn, requires the
+ PE router to offer such control.
+
+ The scaling issues of Layer 3 VPNs come into sharp focus at a BGP
+ route reflector (RR). An RR cannot keep all the advertised routes in
+ every VPN since the number of routes will be too large. The
+ following solutions/extensions are needed to address this issue:
+
+ 1. RRs could be partitioned so that each RR services a subset of
+ VPNs so that no single RR has to carry all the routes.
+
+ 2. An RR could use a preconfigured list of Route Targets for its
+ inbound route filtering. The RR may choose to perform Route
+ Target Filtering, described in [RFC4684].
+
+1.2.6. Ease of Configuration
+
+ Configuring traditional Layer 2 VPNs with dense topologies was a
+ burden primarily because of the O(n*n) nature of the task. If there
+ are n CEs in a Frame Relay VPN, say full-mesh connected, n*(n-1)/2
+ DLCI (Data Link Connection Identifier) Permanent Virtual Circuits
+ (PVCs) must be provisioned across the SP network. At each CE, (n-1)
+ DLCIs must be configured to reach each of the other CEs.
+ Furthermore, when a new CE is added, n new DLCI PVCs must be
+
+
+
+Kompella, et al. Informational [Page 8]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ provisioned; also, each existing CE must be updated with a new DLCI
+ to reach the new CE. Finally, each PVC requires state in every
+ transit switch.
+
+ In our proposal, PVCs are tunneled across the SP network. The
+ tunnels used are provisioned independently of the L2VPNs, using
+ signaling protocols (in the case of MPLS, LDP or RSVP - Traffic
+ Engineering (RSVP-TE) can be used), or set up by configuration; the
+ number of tunnels is independent of the number of L2VPNs. This
+ reduces a large part of the provisioning burden.
+
+ Furthermore, we assume that DLCIs at the CE edge are relatively cheap
+ and that VPN labels in the SP network are cheap. This allows the SP
+ to "overprovision" VPNs, for example, allocate 50 CEs to a VPN when
+ only 20 are needed. With this overprovisioning, adding a new CE to a
+ VPN requires configuring just the new CE and its associated PE;
+ existing CEs and their PEs need not be reconfigured. Note that if
+ DLCIs at the CE edge are expensive, e.g., if these DLCIs are
+ provisioned across a switched network, one could provision them as
+ and when needed, at the expense of extra configuration. This need
+ not still result in extra state in the SP network, i.e., an
+ intelligent implementation can allow overprovisioning of the pool of
+ VPN labels.
+
+1.3. Advantages of Layer 3 VPNs
+
+ Layer 3 VPNs ([RFC4364] in particular) offer a good solution when the
+ customer traffic is wholly IP, customer routing is reasonably simple,
+ and the customer sites connect to the SP with a variety of Layer 2
+ technologies.
+
+1.3.1. Layer 2 Independence
+
+ One major restriction in a Layer 2 VPN is that the Layer 2 media with
+ which the various sites of a single VPN connect to the SP must be
+ uniform. On the other hand, the various sites of a Layer 3 VPN can
+ connect to the SP with any supported media; for example, some sites
+ may connect with Frame Relay circuits and others with Ethernet.
+
+ This restriction of Layer 2 VPN is alleviated by the IP-only Layer 2
+ interworking proposed in this document. This comes at the cost of
+ losing the Layer 3 independence.
+
+ A corollary to this is that the number of sites that can be in a
+ Layer 2 VPN is determined by the number of Layer 2 circuits that the
+ Layer 2 technology provides. For example, if the Layer 2 technology
+ is Frame Relay with 2-octet DLCIs, a CE can at most connect to about
+ a thousand other CEs in a VPN.
+
+
+
+Kompella, et al. Informational [Page 9]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+1.3.2. SP Routing as Added Value
+
+ Another problem with Layer 2 VPNs is that the CE router in a VPN must
+ be able to deal with having N routing peers, where N is the number of
+ sites in the VPN. This can be alleviated by manipulating the
+ topology of the VPN. For example, a hub-and-spoke VPN architecture
+ means that only one CE router (the hub) need deal with N neighbors.
+ However, in a Layer 3 VPN, a CE router need only deal with one
+ neighbor, the PE router. Thus, the SP can offer Layer 3 VPNs as a
+ value-added service to its customers.
+
+ Moreover, with Layer 2 VPNs, it is up to a customer to build and
+ operate the whole network. With Layer 3 VPNs, a customer is just
+ responsible for building and operating routing within each site,
+ which is likely to be much simpler than building and operating
+ routing for the whole VPN. That, in turn, makes Layer 3 VPNs more
+ suitable for customers who don't have sufficient routing expertise,
+ again allowing the SP to provide added value.
+
+ As mentioned later, multicast routing and forwarding is another
+ value-added service that an SP can offer.
+
+1.3.3. Class of Service
+
+ Class-of-Service (CoS) issues have been addressed for Layer 3 VPNs.
+ Since the PE router has visibility into the network Layer (IP), the
+ PE router can take on the tasks of CoS classification and routing.
+ This restriction on Layer 2 VPNs is again eased in the case of IP-
+ only Layer 2 interworking, as the PE router has visibility into the
+ network Layer (IP).
+
+1.4. Multicast Routing
+
+ There are two aspects to multicast routing that we will consider. On
+ the protocol front, supporting IP multicast in a Layer 3 VPN requires
+ PE routers to participate in the multicast routing instance of the
+ customer and thus keep some related state information.
+
+ In the Layer 2 VPN case, the CE routers run native multicast routing
+ directly. The SP network just provides pipes to connect the CE
+ routers; PEs are unaware whether the CEs run multicast or not and
+ thus do not have to participate in multicast protocols or keep
+ multicast state information.
+
+ On the forwarding front, in a Layer 3 VPN, CE routers do not
+ replicate multicast packets; thus, the CE-PE link carries only one
+ copy of a multicast packet. Whether replication occurs at the
+ ingress PE or somewhere within the SP network depends on the
+
+
+
+Kompella, et al. Informational [Page 10]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ sophistication of the Layer 3 VPN multicast solution. The simple
+ solution where a PE replicates packets for each of its CEs may place
+ considerable burden on the PE. More complex solutions may require
+ VPN multicast state in the SP network but may significantly reduce
+ the traffic in the SP network by delaying packet replication until
+ needed.
+
+ In a Layer 2 VPN, packet replication occurs at the CE. This has the
+ advantage of distributing the burden of replication among the CEs
+ rather than focusing it on the PE to which they are attached and thus
+ will scale better. However, the CE-PE link will need to carry
+ multiple copies of multicast packets. However, in the case of
+ Virtual Private LAN Service (a specific type of L2VPN; see
+ [RFC4761]), the CE-PE link need transport only one copy of a
+ multicast packet.
+
+ Thus, just as in the case of unicast routing, the SP has the choice
+ to offer a value-added service (multicast routing and forwarding) at
+ some cost (multicast state and packet replication) using a Layer 3
+ VPN or to keep it simple and use a Layer 2 VPN.
+
+2. Operation of a Layer 2 VPN
+
+ The following simple example of a customer with four sites connected
+ to three PE routers in a Service Provider network will hopefully
+ illustrate the various aspects of the operation of a Layer 2 VPN.
+ For simplicity, we assume that a full-mesh topology is desired.
+
+ In what follows, Frame Relay serves as the Layer 2 media, and each CE
+ has multiple DLCIs to its PE, each connecting to another CE in the
+ VPN. If the Layer 2 media were ATM, then each CE would have multiple
+ VPIs/VCIs (Virtual Path Identifiers/Virtual Channel Identifiers) to
+ connect to other CEs. For Point-to-Point Protocol (PPP) and Cisco
+ High-Level Data Link Control (HDLC), each CE would have multiple
+ physical interfaces to connect to other CEs. In the case of IP-only
+ Layer 2 interworking, each CE could have a mix of one or more of the
+ above Layer 2 media to connect to other CEs.
+
+2.1. Network Topology
+
+ Consider a Service Provider network with edge routers PE0, PE1, and
+ PE2. Assume that PE0 and PE1 are IGP neighbors, and PE2 is more than
+ one hop away from PE0.
+
+ Suppose that a customer C has four sites S0, S1, S2, and S3, that C
+ wants to connect via the Service Provider's network using Frame
+ Relay. Site S0 has CE0 and CE1 both connected to PE0. Site S1 has
+ CE2 connected to PE0. Site S2 has CE3 connected to PE1 and CE4
+
+
+
+Kompella, et al. Informational [Page 11]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ connected to PE2. Site S3 has CE5 connected to PE2. (See Figure 1
+ below.) Suppose further that C wants to "overprovision" each current
+ site, in expectation that the number of sites will grow to at least
+ 10 in the near future. However, CE4 is only provisioned with nine
+ DLCIs. (Note that the signaling mechanism discussed in Section 3.2
+ of [RFC4761] will allow a site to grow in terms of connectivity to
+ other sites at a later point of time at the cost of additional
+ signaling, i.e., overprovisioning is not a must but a
+ recommendation).
+
+ Finally, suppose that the CEs have been provisioned with DLCIs as per
+ the following:
+
+ CE# | Provisioned DLCIs
+ --------------------------------------------------------
+ 0 | 100 through 109
+ 1 | 200 through 209
+ 2 | 100 through 109
+ 3 | 200 through 209
+ 4 | 107, 209, 265, 301, 414, 555, 654, 777, and 888
+ 5 | 417 through 426
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kompella, et al. Informational [Page 12]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ S0 S3
+ .............. ..............
+ . . . .
+ . +-----+ . . .
+ . | CE0 |-----------+ . +-----+ .
+ . +-----+ . | . | CE5 | .
+ . . | . +--+--+ .
+ . +-----+ . | . | .
+ . | CE1 |-------+ | .......|......
+ . +-----+ . | | /
+ . . | | /
+ .............. | | /
+ | | SP Network /
+ .....|...|.............................../.....
+ . | | / .
+ . +-+---+-+ +-------+ / .
+ . | PE0 |-------| P |-- | .
+ . +-+---+-+ +-------+ \ | .
+ . / \ \ +---+---+ .
+ . | -----+ --| PE2 | .
+ . | | +---+---+ .
+ . | +---+---+ / .
+ . | | PE1 | / .
+ . | +---+---+ / .
+ . | \ / .
+ ...|.............|.............../.............
+ | | /
+ | | /
+ | | /
+ S1 | | S2 /
+ .............. | ........|........../......
+ . . | . | | .
+ . +-----+ . | . +--+--+ +--+--+ .
+ . | CE2 |-----+ . | CE3 | | CE4 | .
+ . +-----+ . . +-----+ +-----+ .
+ . . . .
+ .............. ..........................
+
+ Figure 1: Example Network Topology
+
+2.2. Configuration
+
+ The following sub-sections detail the configuration that is needed to
+ provision the above VPN. For the purpose of exposition, we assume
+ that the customer will connect to the SP with Frame Relay circuits.
+
+
+
+
+
+
+Kompella, et al. Informational [Page 13]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ While we focus primarily on the configuration that an SP has to do,
+ we touch upon the configuration requirements of CEs as well. The
+ main point of contact in CE-PE configuration is that both must agree
+ on the DLCIs that will be used on the interface connecting them.
+
+ If the PE-CE connection is Frame Relay, it is recommended to run Link
+ Management Interface (LMI) between the PE and CE. For the case of
+ ATM VCs, Operations, Administration, and Maintenance (OAM) cells may
+ be used. For PPP and Cisco HDLC, keepalives may be used directly
+ between CEs; however, in this case, PEs would not have visibility as
+ to the liveness of customers circuits.
+
+ In the case of IP-only Layer 2 interworking, if CE1, attached to PE0,
+ connects to CE3, attached to PE1, via an L2VPN circuit, the Layer 2
+ media between CE1 and PE0 is independent of the Layer 2 media between
+ CE3 and PE1. Each side will run its own Layer-2-specific link
+ management protocol, e.g., LMI, Link Control Protocol (LCP), etc.
+ PE0 will inform PE1 about the status of its local circuit to CE1 via
+ the circuit status vector TLV defined in Section 3.1. Similarly, PE1
+ will inform PE0 about the status of its local circuit to CE3.
+
+2.2.1. CE Configuration
+
+ Each CE that belongs to a VPN is given a "CE ID". CE IDs must be
+ unique in the context of a VPN. For the example, we assume that the
+ CE ID for CE-k is k.
+
+ Each CE is configured to communicate with its corresponding PE with
+ the set of DLCIs given above, for example, CE0 is configured with
+ DLCIs 100 through 109. In general, a CE is configured with a list of
+ circuits, all with the same Layer 2 encapsulation type, e.g., DLCIs,
+ VCIs, physical PPP interface, etc. (IP-only Layer 2 interworking
+ allows a mix of Layer 2 encapsulation types.) The size of this list/
+ set determines the number of remote CEs with which a given CE can
+ communicate. Denote the size of this list/set as the CE's range. A
+ CE's range must be at least the number of remote CEs that the CE will
+ connect to in a given VPN; if the range exceeds this, then the CE is
+ overprovisioned, in anticipation of growth of the VPN.
+
+ Each CE also "knows" which DLCI connects it to every other CE. The
+ methodology followed in this example is to use the CE ID of the other
+ CE as an index into the DLCI list this CE has (with zero-based
+ indexing, i.e., 0 is the first index). For example, CE0 is connected
+ to CE3 through its fourth DLCI, 103; CE4 is connected to CE2 by the
+ third DLCI in its list, namely 265. This is just the methodology
+ used in the description here; the actual methodology used to pick the
+ DLCI to be used is a local matter. The key factor is that CE-k may
+ communicate with CE-m using a different DLCI from the DLCI that CE-m
+
+
+
+Kompella, et al. Informational [Page 14]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ uses to communicate to CE-k, i.e., the SP network effectively acts as
+ a giant Frame Relay switch. This is very important, as it decouples
+ the DLCIs used at each CE site, making for much simpler provisioning.
+
+2.2.2. PE Configuration
+
+ Each PE is configured with the VPNs in which it participates. Each
+ VPN is associated with one or more Route Target communities [RFC4360]
+ that serve to define the topology of the VPN. For each VPN, the PE
+ must determine a Route Distinguisher (RD) to use; this may either be
+ configured or chosen by the PE. RDs do not have to be unique across
+ the VPN. For each CE attached to the PE in a given VPN, the PE must
+ know the set of virtual circuits (DLCI, VCI/VPI, or VLAN) connecting
+ it to the CE and a CE ID identifying the CE within the VPN. CE IDs
+ must be unique in the context of a given VPN.
+
+2.2.3. Adding a New Site
+
+ The first step in adding a new site to a VPN is to pick a new CE ID.
+ If all current members of the VPN are overprovisioned, i.e., their
+ range includes the new CE ID, adding the new site is a purely local
+ task. Otherwise, the sites whose range doesn't include the new CE ID
+ and that wish to communicate directly with the new CE must have their
+ ranges increased by allocating additional local circuits to
+ incorporate the new CE ID.
+
+ The next step is ensuring that the new site has the required
+ connectivity. This usually requires adding a new virtual circuit
+ between the PE and CE; in most cases, this configuration is limited
+ to the PE in question.
+
+ The rest of the configuration is a local matter between the new CE
+ and the PE to which it is attached. At this point, the PE can signal
+ to other PEs that it has a new site in the VPN by advertising a BGP
+ Layer 2 route, and traffic connectivity will be set up.
+
+ It bears repeating that the key to making additions easy is
+ overprovisioning and the algorithm for mapping a CE ID to a DLCI that
+ is used for connecting to the corresponding CE. However, what is
+ being overprovisioned is the number of DLCIs/VCIs that connect the CE
+ to the PE. This is a local matter between the PE and CE; it does not
+ affect other PEs or CEs.
+
+
+
+
+
+
+
+
+
+Kompella, et al. Informational [Page 15]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+2.2.4. Deleting a Site
+
+ Deleting a site consists first of removing the CE ID of the site from
+ the configuration of the PE to which the site is attached. The PE
+ will then signal to other PEs that it no longer has access to that
+ site by withdrawing its previously advertised BGP Layer 2 route.
+ Connectivity to the deleted site will cease.
+
+ The next steps are bookkeeping: decommissioning the attachment
+ circuit from the PE to the CE that corresponds to the site being
+ removed and noting that the CE ID is now free for future allocation.
+ Note that each PE is now (further) overprovisioned; one may choose to
+ actively "reap" CE IDs if desired.
+
+2.2.5. Managing CE ID Mappings
+
+ In the data plane, an attachment circuit, identified say by a DLCI,
+ is mapped to a label via the control plane abstraction of a CE ID.
+ At the egress PE, the label is mapped back to an attachment circuit
+ via the same CE ID. It is up to the VPN administrator
+
+ o to provision attachment circuits (e.g., DLCIs);
+
+ o to allocate CE IDs; and
+
+ o to keep a clear mapping of CE IDs to attachment circuits (and
+ reflect this in PE configurations).
+
+ The PEs manage the mappings between attachment circuits and labels,
+ i.e., the data plane mappings.
+
+ Note that in the N-to-one modes listed in Table 1, a single
+ attachment circuit may correspond to several Layer 2 virtual
+ circuits. Nevertheless, there is a one-to-one mapping between an
+ attachment circuit and a CE ID (and thus a label).
+
+2.2.6. Managing Label Blocks
+
+ Label blocks and label values are managed by the PEs. As sites get
+ added and removed, labels are allocated and released. The easiest
+ way to manage these is to use fixed-size label blocks rather than
+ variable-size blocks, although the signaling described here supports
+ either. If an implementation uses fixed-size blocks, then allocating
+ a label for a new site may requiring allocating a new block;
+ similarly, freeing a label may require freeing a block.
+
+
+
+
+
+
+Kompella, et al. Informational [Page 16]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ If the implementation requires fixed-size blocks, there is probably a
+ default block size, but the implementation SHOULD allow the
+ administrator to choose a size. Larger label block sizes mean more
+ potential "wasted" labels but less signaling overhead, a trade-off
+ that the administrator might want to control.
+
+ Also, as sites get added and deleted, a PE may receive packets with a
+ label that reflects a site that has been deleted locally but not yet
+ processed by remote PEs or that reflects a new site added remotely
+ but not processed locally. In either of these cases, the PE SHOULD
+ silently discard the packet; it may choose to log the event once for
+ each such label, but not for every such packet.
+
+2.3. Operations, Administration, and Maintenance (OAM)
+
+ Many Layer 2 mediums have OAM mechanisms. For example, the PPP has
+ Echo Request and Echo Reply messages; Frame Relay has the Local
+ Management Interface. Among other things, OAM is used for
+ troubleshooting and as keepalives.
+
+ There are two ways to carry OAM information across Layer 2 VPNs. The
+ first is to convey OAM packets as any other Layer 2 packets across
+ the VPN. This is the most general method; it maintains full Layer 2
+ transparency and preserves all OAM information. The other method
+ applies only to the link liveness aspect of OAM; it consists of
+ transmitting the status of each attachment circuit across the control
+ plane using the circuit status vector (Section 3.1). This method is
+ the only one applicable to Layer 2 Interworking VPNs (Section 4),
+ since OAM packets are not IP frames and thus cannot be transmitted
+ across such Layer 2 VPNs.
+
+3. PE Information Exchange
+
+ When a PE is configured with all the required information for a CE,
+ it advertises to other PEs the fact that it is participating in a VPN
+ via BGP messages, as per [RFC4761], Section 3. BGP was chosen as the
+ means for exchanging L2VPN information for two reasons: it offers
+ mechanisms for both auto-discovery and signaling, and it allows for
+ operational convergence, as explained in Section 1. A bonus for
+ using BGP is a robust inter-AS solution for L2VPNs.
+
+ There are two modifications to the formatting of messages. The first
+ is that the set of Encaps Types carried in the L2-info extended
+ community has been expanded to include those from Table 1. The value
+ of the Encaps Type field identifies the Layer 2 encapsulation, e.g.,
+ ATM, Frame Relay, etc.
+
+
+
+
+
+Kompella, et al. Informational [Page 17]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ +-----------+-------------------------------------------+-----------+
+ | Encaps | Description | Reference |
+ | Type | | |
+ +-----------+-------------------------------------------+-----------+
+ | 0 | Reserved | - |
+ | | | |
+ | 1 | Frame Relay | RFC 4446 |
+ | | | |
+ | 2 | ATM AAL5 SDU VCC transport | RFC 4446 |
+ | | | |
+ | 3 | ATM transparent cell transport | RFC 4816 |
+ | | | |
+ | 4 | Ethernet (VLAN) Tagged Mode | RFC 4448 |
+ | | | |
+ | 5 | Ethernet Raw Mode | RFC 4448 |
+ | | | |
+ | 6 | Cisco HDLC | RFC 4618 |
+ | | | |
+ | 7 | PPP | RFC 4618 |
+ | | | |
+ | 8 | SONET/SDH Circuit Emulation Service | RFC 4842 |
+ | | | |
+ | 9 | ATM n-to-one VCC cell transport | RFC 4717 |
+ | | | |
+ | 10 | ATM n-to-one VPC cell transport | RFC 4717 |
+ | | | |
+ | 11 | IP Layer 2 Transport | RFC 3032 |
+ | | | |
+ | 15 | Frame Relay Port mode | RFC 4619 |
+ | | | |
+ | 17 | Structure-agnostic E1 over packet | RFC 4553 |
+ | | | |
+ | 18 | Structure-agnostic T1 (DS1) over packet | RFC 4553 |
+ | | | |
+ | 19 | VPLS | RFC 4761 |
+ | | | |
+ | 20 | Structure-agnostic T3 (DS3) over packet | RFC 4553 |
+ | | | |
+ | 21 | Nx64kbit/s Basic Service using | RFC 5086 |
+ | | Structure-aware | |
+ | | | |
+ | 25 | Frame Relay DLCI | RFC 4619 |
+ | | | |
+ | 40 | Structure-agnostic E3 over packet | RFC 4553 |
+ | | | |
+ | 41 (1) | Octet-aligned payload for | RFC 4553 |
+ | | Structure-agnostic DS1 circuits | |
+ | | | |
+
+
+
+Kompella, et al. Informational [Page 18]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ | 42 (2) | E1 Nx64kbit/s with CAS using | RFC 5086 |
+ | | Structure-aware | |
+ | | | |
+ | 43 | DS1 (ESF) Nx64kbit/s with CAS using | RFC 5086 |
+ | | Structure-aware | |
+ | | | |
+ | 44 | DS1 (SF) Nx64kbit/s with CAS using | RFC 5086 |
+ | | Structure-aware | |
+ +-----------+-------------------------------------------+-----------+
+
+ Table 1: Encaps Types
+
+ Note (1): Allocation of a separate code point for Encaps Type
+ eliminates the need for Time Division Multiplexer (TDM) payload size.
+
+ Note (2): Having separate code points for Encaps Types 42-44 allows
+ specifying the trunk framing (i.e., E1, T1 ESF, or T1 SF) with
+ Channel Associated Signaling (CAS).
+
+ The second is the introduction of TLVs (Type-Length-Value triplets)
+ in the VPLS NLRI (Network Layer Reachability Information). L2VPN
+ TLVs can be added to extend the information carried in the NLRI,
+ using the format shown in Figure 2. In L2VPN TLVs, Type is 1 octet,
+ and Length is 2 octets and represents the size of the Value field in
+ bits. L2VPN TLVs, if present, occur as the last element of a VPLS
+ NLRI. The length of the NLRI includes the total length of the TLVs,
+ including their headers.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Value (continued, if needed) ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 2: Format of TLVs
+
+3.1. Circuit Status Vector
+
+ This sub-TLV carries the status of an L2VPN PVC between a pair of
+ PEs. Note that an L2VPN PVC is bidirectional, composed of two
+ simplex connections going in opposite directions. A simplex
+ connection consists of three segments: 1) the local access circuit
+ between the source CE and the ingress PE, 2) the tunnel Label
+ Switched Path (LSP) between the ingress and egress PEs, and 3) the
+ access circuit between the egress PE and the destination CE.
+
+
+
+
+Kompella, et al. Informational [Page 19]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ To monitor the status of a PVC, a PE needs to monitor the status of
+ both simplex connections. Since it knows the status of its access
+ circuit and the status of the tunnel towards the remote PE, it can
+ inform the remote PE of these two. Similarly, the remote PE can
+ inform the status of its access circuit to its local CE and the
+ status of the tunnel to the first PE. Combining the local and the
+ remote information, a PE can determine the status of a PVC.
+
+ The basic unit of advertisement in L2VPN for a given CE is a label
+ block. Each label within a label block corresponds to a PVC on the
+ CE. The local status information for all PVCs corresponding to a
+ label block is advertised along with the NLRI for the label block
+ using the status vector TLV. The Type field of this TLV is 1. The
+ Length field of the TLV specifies the length of the value field in
+ bits. The Value field of this TLV is a bit-vector, each bit of which
+ indicates the status of the PVC associated with the corresponding
+ label in the label block. Bit value 0 corresponds to the PVC
+ associated with the first label in the label block and indicates that
+ the local circuit and the tunnel LSP to the remote PE is up, while a
+ value of 1 indicates that either or both of them are down. The Value
+ field is padded to the nearest octet boundary.
+
+ A PE can determine the status of a PVC from one of its CEs to a
+ remote CE as follows. Say PE A has CE n in VPN X, and PE A gets an
+ advertisement from PE B for remote CE m also in VPN X; this
+ advertisement includes a label block and a circuit status vector. To
+ determine which label to use for CE m, PE A must determine the index
+ corresponding to CE m in the label block that PE B advertised. The
+ status of the PVC between CE n and CE m can be obtained by looking at
+ the bit in the circuit status vector corresponding to this index.
+
+ +----------+-----------------------+
+ | TLV Type | Description |
+ +----------+-----------------------+
+ | 1 | Circuit Status Vector |
+ +----------+-----------------------+
+
+ Table 2: TLV Types
+
+3.2. Generalizing the VPN Topology
+
+ In the above, we assumed for simplicity that the VPN was a full mesh.
+ To allow for more general VPN topologies, a mechanism based on
+ filtering of BGP extended communities can be used.
+
+
+
+
+
+
+
+Kompella, et al. Informational [Page 20]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+4. Layer 2 Interworking
+
+ As defined so far in this document, all CE-PE connections for a given
+ Layer 2 VPN must use the same Layer 2 encapsulation, e.g., they must
+ all be Frame Relay. This is often a burdensome restriction. One
+ answer is to use an existing Layer 2 interworking mechanism, for
+ example, Frame Relay-ATM interworking.
+
+ In this document, we take a different approach: we postulate that the
+ network Layer is IP and base Layer 2 interworking on that. Thus, one
+ can choose between pure Layer 2 VPNs, with a stringent Layer 2
+ restriction but with Layer 3 independence, or Layer 2 interworking
+ VPNs, where there is no restriction on Layer 2, but Layer 3 must be
+ IP. Of course, a PE may choose to implement Frame Relay-ATM
+ interworking. For example, an ATM Layer 2 VPN could have some CEs
+ connect via Frame Relay links, if their PE could translate Frame
+ Relay to ATM transparently to the rest of the VPN. This would be
+ private to the CE-PE connection, and such a course is outside the
+ scope of this document.
+
+ For Layer 2 interworking as defined here, when an IP packet arrives
+ at a PE, its Layer 2 address is noted, then all Layer 2 overhead is
+ stripped, leaving just the IP packet. Next, a VPN label is added,
+ and the packet is encapsulated in the PE-PE tunnel (as required by
+ the tunnel technology). Finally, the packet is forwarded. Note that
+ the forwarding decision is made on the basis of the Layer 2
+ information, not the IP header. At the egress, the VPN label
+ determines to which CE the packet must be sent and over which virtual
+ circuit; from this, the egress PE can also determine the Layer 2
+ encapsulation to place on the packet once the VPN label is stripped.
+
+ An added benefit of restricting interworking to IP only as the Layer
+ 3 technology is that the provider's network can provide IP Diffserv
+ or any other IP-based QoS mechanism to the L2VPN customer. The
+ ingress PE can set up IP/TCP/UDP-based classifiers to do Diffserv
+ marking and other functions like policing and shaping on the L2
+ circuits of the VPN customer. Note the division of labor: the CE
+ determines the destination CE and encodes that in the Layer 2
+ address. The ingress PE thus determines the egress PE and VPN label
+ based on the Layer 2 address supplied by the CE, but the ingress PE
+ can choose the tunnel to reach the egress PE (in the case that there
+ are different tunnels for each CoS/Diffserv code point) or the CoS
+ bits to place in the tunnel (in the case where a single tunnel
+ carries multiple CoS/Diffserv code points) based on its own
+ classification of the packet.
+
+
+
+
+
+
+Kompella, et al. Informational [Page 21]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+5. Packet Transport
+
+ When a packet arrives at a PE from a CE in a Layer 2 VPN, the Layer 2
+ address of the packet identifies to which remote attachment circuit
+ (and thus remote CE) the packet is destined. The procedure outlined
+ above installs a route that maps the Layer 2 address to a tunnel
+ (which identifies the PE to which the destination CE is attached) and
+ a VPN label (which identifies the destination AC). If the egress PE
+ is the same as the ingress PE, no tunnel or VPN label is needed.
+
+ The packet may then be modified (depending on the Layer 2
+ encapsulation). In case of IP-only Layer 2 interworking, the Layer 2
+ header is completely stripped off up to the IP header. Then, a VPN
+ label and tunnel encapsulation are added as specified by the route
+ described above, and the packet is sent to the egress PE.
+
+ If the egress PE is the same as the ingress, the packet "arrives"
+ with no labels. Otherwise, the packet arrives with the VPN label,
+ which is used to determine which CE is the destination CE. The
+ packet is restored to a fully formed Layer 2 packet and then sent to
+ the CE.
+
+5.1. Layer 2 MTU
+
+ This document requires that the Layer 2 MTU configured on all the
+ access circuits connecting CEs to PEs in an L2VPN be the same. This
+ can be ensured by passing the configured Layer 2 MTU in the Layer2-
+ info extended community when advertising L2VPN label blocks. On
+ receiving an L2VPN label block from remote PEs in a VPN, the MTU
+ value carried in the Layer2-info extended community should be
+ compared against the configured value for the VPN. If they don't
+ match, then the label block should be ignored.
+
+ The MTU on the Layer 2 access links MUST be chosen such that the size
+ of the L2 frames plus the L2VPN header does not exceed the MTU of the
+ SP network. Layer 2 frames that exceed the MTU after encapsulation
+ MUST be dropped. For the case of IP-only Layer 2 interworking, the
+ IP MTU on the Layer 2 access link must be chosen such that the size
+ of the IP packet and the L2VPN header does not exceed the MTU of the
+ SP network.
+
+5.2. Layer 2 Frame Format
+
+ The modification to the Layer 2 frame depends on the Layer 2 type.
+ This document requires that the encapsulation methods used in
+ transporting Layer 2 frames over tunnels be the same as described in
+ [RFC4448], [RFC4618], [RFC4619], and [RFC4717], except in the case of
+ IP-only Layer 2 Interworking, which is described next.
+
+
+
+Kompella, et al. Informational [Page 22]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+5.3. IP-Only Layer 2 Interworking
+
+ +-----------------------------------+
+ | PSN Transport | VPN | IP | VPN label is the
+ | Header | Label | Packet | demultiplexing field
+ +-----------------------------------+
+
+ Figure 3: Format of IP-Only Layer 2 Interworking Packet
+
+ At the ingress PE, an L2 frame's L2 header is completely stripped off
+ and is carried over as an IP packet within the SP network (Figure 3).
+ The forwarding decision is still based on the L2 address of the
+ incoming L2 frame. At the egress PE, the IP packet is encapsulated
+ back in an L2 frame and transported over to the destination CE. The
+ forwarding decision at the egress PE is based on the VPN label as
+ before. The L2 technology between egress PE and CE is independent of
+ the L2 technology between ingress PE and CE.
+
+6. Security Considerations
+
+ RFC 4761 [RFC4761], on which this document is based, has a detailed
+ discussion of security considerations. As in RFC 4761, the focus
+ here is the privacy of customer VPN data (as opposed to
+ confidentiality, integrity, or authentication of said data); to
+ achieve the latter, one can use the methods suggested in RFC 4761.
+ The techniques described in RFC 4761 for securing the control plane
+ and protecting the forwarding path apply equally to L2VPNs, as do the
+ remarks regarding multi-AS operation. The mitigation strategies and
+ the analogies with RFC 4364 [RFC4364] also apply here.
+
+ RFC 4761 perhaps should have discussed Denial-of-Service attacks
+ based on the fact that VPLS PEs have to learn Media Access Control
+ (MAC) addresses and replicate packets (for flooding and multicast).
+ However, those considerations don't apply here, as neither of those
+ actions are required of PEs implementing the procedures in this
+ document.
+
+7. IANA Considerations
+
+ IANA has created two new registries: the first is for the one-octet
+ Encaps Type field of the L2-info extended community. The name of the
+ registry is "BGP Layer 2 Encapsulation Types"; the values already
+ allocated are in Table 1 of Section 3. The allocation policy for new
+ entries up to and including value 127 is "Expert Review" [RFC5226].
+ The allocation policy for values 128 through 251 is "First Come First
+ Served". The values from 252 through 255 are for "Experimental Use".
+
+
+
+
+
+Kompella, et al. Informational [Page 23]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ The second registry is for the one-octet Type field of the TLVs of
+ the VPLS NLRI. The name of the registry is "BGP L2 TLV Types"; the
+ sole allocated value is in Table 2 of Section 3. The allocation
+ policy for new entries up to and including value 127 is "Expert
+ Review". The allocation policy for values 128 through 251 is "First
+ Come First Served". The values from 252 through 255 are for
+ "Experimental Use".
+
+8. Acknowledgments
+
+ The authors would like to thank Chaitanya Kodeboyina, Dennis
+ Ferguson, Der-Hwa Gan, Dave Katz, Nischal Sheth, John Stewart, and
+ Paul Traina for the enlightening discussions that helped shape the
+ ideas presented here. The authors also thank Ross Callon for his
+ valuable comments.
+
+ The idea of using extended communities for more general connectivity
+ of a Layer 2 VPN was a contribution by Yakov Rekhter, who also gave
+ many useful comments on the text. Many thanks to him.
+
+9. Contributors
+
+ The following individuals contributed to this document.
+
+ Manoj Leelanivas, Juniper Networks
+ Quaizar Vohra, Juniper Networks
+ Javier Achirica, Consultant
+ Ronald Bonica, Juniper Networks
+ Dave Cooper, Global Crossing
+ Chris Liljenstolpe, Telstra
+ Eduard Metz, KPN Dutch Telecom
+ Hamid Ould-Brahim, Nortel
+ Chandramouli Sargor
+ Himanshu Shah, Ciena
+ Vijay Srinivasan
+ Zhaohui Zhang, Juniper Networks
+
+10. References
+
+10.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended
+ Communities Attribute", RFC 4360, February 2006.
+
+
+
+
+
+Kompella, et al. Informational [Page 24]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
+ Networks (VPNs)", RFC 4364, February 2006.
+
+ [RFC4446] Martini, L., "IANA Allocations for Pseudowire Edge to Edge
+ Emulation (PWE3)", BCP 116, RFC 4446, April 2006.
+
+ [RFC4448] Martini, L., Rosen, E., El-Aawar, N., and G. Heron,
+ "Encapsulation Methods for Transport of Ethernet over MPLS
+ Networks", RFC 4448, April 2006.
+
+ [RFC4618] Martini, L., Rosen, E., Heron, G., and A. Malis,
+ "Encapsulation Methods for Transport of PPP/High-Level
+ Data Link Control (HDLC) over MPLS Networks", RFC 4618,
+ September 2006.
+
+ [RFC4619] Martini, L., Kawa, C., and A. Malis, "Encapsulation
+ Methods for Transport of Frame Relay over Multiprotocol
+ Label Switching (MPLS) Networks", RFC 4619,
+ September 2006.
+
+ [RFC4717] Martini, L., Jayakumar, J., Bocci, M., El-Aawar, N.,
+ Brayley, J., and G. Koleyni, "Encapsulation Methods for
+ Transport of Asynchronous Transfer Mode (ATM) over MPLS
+ Networks", RFC 4717, December 2006.
+
+ [RFC4761] Kompella, K. and Y. Rekhter, "Virtual Private LAN Service
+ (VPLS) Using BGP for Auto-Discovery and Signaling",
+ RFC 4761, January 2007.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
+ May 2008.
+
+10.2. Informative References
+
+ [Kosiur] Kosiur, D., "Building and Managing Virtual Private
+ Networks", Wiley Computer Publishing, 1998.
+
+ [RFC3985] Bryant, S. and P. Pate, "Pseudo Wire Emulation Edge-to-
+ Edge (PWE3) Architecture", RFC 3985, March 2005.
+
+ [RFC4447] Martini, L., Rosen, E., El-Aawar, N., Smith, T., and G.
+ Heron, "Pseudowire Setup and Maintenance Using the Label
+ Distribution Protocol (LDP)", RFC 4447, April 2006.
+
+
+
+
+
+
+
+Kompella, et al. Informational [Page 25]
+
+RFC 6624 BGP Auto-Discovery and Signaling for L2VPN May 2012
+
+
+ [RFC4684] Marques, P., Bonica, R., Fang, L., Martini, L., Raszuk,
+ R., Patel, K., and J. Guichard, "Constrained Route
+ Distribution for Border Gateway Protocol/MultiProtocol
+ Label Switching (BGP/MPLS) Internet Protocol (IP) Virtual
+ Private Networks (VPNs)", RFC 4684, November 2006.
+
+ [RFC4762] Lasserre, M. and V. Kompella, "Virtual Private LAN Service
+ (VPLS) Using Label Distribution Protocol (LDP) Signaling",
+ RFC 4762, January 2007.
+
+ [RFC6074] Rosen, E., Davie, B., Radoaca, V., and W. Luo,
+ "Provisioning, Auto-Discovery, and Signaling in Layer 2
+ Virtual Private Networks (L2VPNs)", RFC 6074,
+ January 2011.
+
+Authors' Addresses
+
+ Kireeti Kompella
+ Juniper Networks
+ 1194 N. Mathilda Ave.
+ Sunnyvale, CA 94089
+ USA
+
+ EMail: kireeti@juniper.net
+
+
+ Bhupesh Kothari
+ Cisco Systems
+ 3750 Cisco Way
+ San Jose, CA 95134
+ USA
+
+ EMail: bhupesh@cisco.com
+
+
+ Rao Cherukuri
+ Juniper Networks
+ 1194 N. Mathilda Ave.
+ Sunnyvale, CA 94089
+ USA
+
+ EMail: cherukuri@juniper.net
+
+
+
+
+
+
+
+
+
+Kompella, et al. Informational [Page 26]
+