1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
|
Network Working Group B. Fox
Request for Comments: 2735 Equipe Communications
Category: Standards Track B. Petri
Siemens AG
December 1999
NHRP Support for Virtual Private Networks
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
The NBMA Next Hop Resolution Protocol (NHRP) is used to determine the
NBMA subnetwork addresses of the "NBMA next hop" towards a public
internetworking layer address (see [1]). This document describes the
enhancements necessary to enable NHRP to perform the same function
for private internetworking layer addresses available within the
framework of a Virtual Private Network (VPN) service on a shared NBMA
network.
1. Introduction
NHRP is a public internetworking layer based resolution protocol.
There is an implicit understanding in [1] that a control message
applies to the public address space.
Service Providers of Virtual Private Network (VPN) services will
offer VPN participants specific service level agreements (SLA) which
may include, for example, dedicated routing functions and/or specific
QoS levels. A particularly important feature of a VPN service is the
ability to use a private address space which may overlap with the
address space of another VPN or the Public Internet. Therefore, such
an internetworking layer address only has meaning within the VPN in
which it exists. For this reason, it is necessary to identify the
VPN in which a particular internetworking layer address has meaning,
the "scope" of the internetworking layer address.
Fox & Petri Standards Track [Page 1]
^L
RFC 2735 NHRP Support for Virtual Private Networks December 1999
As VPNs are deployed on shared networks, NHRP may be used to resolve
a private VPN address to a shared NBMA network address. In order to
properly resolve a private VPN address, it is necessary for the NHRP
device to be able to identify the VPN in which the address has
meaning and determine resolution information based on that "scope".
As VPN services are added to an NBMA network using NHRP devices, it
may be necessary to support the service with legacy NHRP devices that
do not have VPN knowledge and so do not explicitly support VPNs.
This document describes requirements for "VPN-aware" NHRP entities to
support VPN services while communicating with both "VPN-aware" and
"non-VPN-aware" NHRP entities.
2. Overview of NHRP VPN Support
2.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [4].
In addition to the terminology specified in section 2.1 of [1], the
following definitions and acronyms are used:
Default Routing Instance -- In the presence of VPNs, all packets are
processed (e.g., routed) within the context of a specific VPN. In the
case where no VPN is indicated, a packet is processed according to a
default VPN, i.e., a Default Routing Instance. This routing instance
may be the Public Internet, a particular VPN, etc. The term only has
meaning for "VPN-aware" NHRP entities.
Virtual Private Network (VPN) -- in the context of this
specification, this term is used as described in [3].
VPN-aware -- a "VPN-aware" NHRP entity is an NHRP entity that
implements the NHRP enhancements for VPNs as defined in this
document.
Non-VPN-aware -- a "non-VPN-aware" NHRP entity is an NHRP entity
which is deployed as part of a single VPN, but is not VPN-aware.
Restrictions applying to non-VPN-aware NHRP entities are outlined
below. NHRP devices as specified in [1] are examples of non-VPN-
aware entities.
VPN encapsulation -- An LLC/SNAP encapsulation of a PDU with an
indication of the VPN to which the PDU belongs. In the case that the
underlying NBMA network is an ATM network, VPN encapsulation is
specified in section 8 of [2].
Fox & Petri Standards Track [Page 2]
^L
RFC 2735 NHRP Support for Virtual Private Networks December 1999
VPN identifier (VPN-ID) -- in the context of this specification, this
term is used as specified in [3].
VPN signalling -- in the context of this specification, this term is
used to denote a method to indicate the VPN-ID via control signalling
or similar ways in the control path.
2.2 VPN Support Overview
When supporting NHRP for a VPN, it is necessary to specify to which
VPN the NHRP message applies in order to comply with the VPN service
level agreement applicable to that VPN.
On some NBMA networks, it is possible to establish a VPN-specific
control path between NHRP devices. This is sufficient to identify
the NHRP control packets as belonging to the "inherited" VPN.
However, when that alternative is not used, the NHRP device must
specify the VPN to which an NHRP packet applies in the PDU.
It is not useful to add a VPN extension to NHRP control messages
because transit NHRP Servers are not required to process the
extensions to an NHRP control message (see 5.3 in [1]). NHRP Servers
already deployed might resolve the control packet within the scope of
the public internetworking layer address space instead of the private
address space causing problems in routing.
Instead, an LLC/SNAP header with a VPN indication (as specified in
Section 4.1 below) will be prepended to the NHRP control message.
This solution allows the same VPN-specific LLC/SNAP header to be
prepended to PDUs in both the control and data paths.
3. NHRP VPN Operation
3.1 VPN-Aware NHRP Operation
When a VPN-aware NHRP device forwards a packet pertaining to a
particular VPN, that device MUST be able to indicate the VPN either:
a) explicitly through use of the VPN-specific LLC/SNAP header or
b) implictly through an indication via VPN signalling.
This applies to NHC-NHS, NHS-NHS, and NHS-NHC control messages as
well as NHC-NHC shortcut traffic.
For case a), the indication of the VPN-ID is via a VPN-specific
LLC/SNAP header specified in section 4.2 below. In the case of an
underlying ATM network, see also section 8 of [2].
Fox & Petri Standards Track [Page 3]
^L
RFC 2735 NHRP Support for Virtual Private Networks December 1999
For case b), the method used to indicate the VPN-ID via VPN
signalling depends on the mechanisms available in the underlying
network and is outside the scope of this memo. A VPN-aware NHRP
entity using VPN signalling SHOULD NOT also indicate the VPN-ID
explicity for any PDU on the related path.
In transiting an NHRP Server, the VPN identification MAY be forwarded
in a different format than was received, however, the same VPN-ID
MUST be indicated for the message. For example, a PDU received with
an LLC/SNAP header containing a VPN identifier may be forwarded on a
control path which was established with an indication of the same VPN
without the VPN-specific LLC/SNAP header.
When a VPN capable NHRP entity receives an NHRP message from a VPN-
aware NHRP device without a VPN indication via VPN encapsulation or
VPN signalling, the message applies to the default routing instance
supported by the shared infrastructure. The public Internet or a
particular VPN routing realm may be configured as the default routing
instance.
3.2 Interactions of VPN-aware and non-VPN-aware NHRP entities
A VPN-aware NHRP entity MUST be able to indicate the VPN-ID in one of
the ways specified in section 3.1 above. It MAY participate in more
than one VPN.
Because a non-VPN-aware NHRP device does not understand the concept
of VPNs, it only supports a single routing instance. Therefore, a
non-VPN-aware NHRP entity belongs to exactly one VPN without being
aware of it. All internetworking packets sent by that entity are
assumed to belong to that VPN (Note that if the current IPv4-based
Internet is regarded as just one big VPN, attached IPv4 hosts may
e.g. be regarded as being "contained" in that VPN).
In order for a non-VPN-aware NHRP entity to interact with a VPN-aware
NHRP entity, the VPN-aware NHRP entity MUST be configured to
associate the correct VPN-ID with information received from the non-
VPN-aware entity. In other words, the VPN-aware NHRP entity acts as
in the case of option b) from section 3.1 where the VPN-ID was
indicated via VPN signalling. However, this association is
provisioned using administrative means that are beyond the scope of
this document instead of via VPN signalling. Further, it MUST be
ensured by administrative means that non-VPN-aware NHRP entities only
communicate either with other NHRP entities contained in the same
VPN, or with VPN-aware NHRP entities with pre- configured information
about the related VPN-ID of those non-VPN-aware entities.
Fox & Petri Standards Track [Page 4]
^L
RFC 2735 NHRP Support for Virtual Private Networks December 1999
VPN-aware NHRP entities SHALL only send information to non-VPN-aware
NHRP entities if that information belongs to the VPN in which the
non-VPN-aware entity is contained. Information sent to a non-VPN-
aware NHRP entity MUST not include any indication of the VPN-ID.
In order to correctly transfer data packets, it is necessary for
VPN-aware ingress NHRP clients to know whether their partner is also
VPN-aware. If the egress is VPN-aware, the ingress NHC will also use
the means described in section 3.1 on an NBMA shortcut to that egress
NHC to specify the VPN to which the data packet belongs.
For this purpose, a further NHRP extension (in addition to those
specified in section 5.3 of [1]) is specified which is called NHRP
Device Capabilities extension (see section 4.2 below). This extension
currently indicates the VPN capabilities of NHRP source and
destination entities, but may also be used in the future for further
additions to NHRP to indicate other capabilities as well.
3.3 Handling of the NHRP Device Capabilities extension
The NHRP Device Capabilities extension MUST be attached to all NHRP
Resolution Requests generated by a VPN-aware source NHRP entity. The
device SHOULD set the Source Capabilities field to indicate that it
supports VPNs. The compulsory bit MUST be set to zero, so that a
non-VPN-aware NHS may safely ignore the extension when forwarding the
request. In addition, the A-bit (see section 5.2.1 of [1]) SHOULD be
set to indicate that only authoritative next hop information is
desired to avoid non-authoritative replies from non-VPN-aware NHRP
servers.
Since a non-VPN-aware NHS is not able to process the NHRP Device
Capability extension, Network Admistrators MUST avoid configurations
in which a VPN-aware NHRP Client is authoritatively served by a non-
VPN-aware NHRP Server.
If an egress NHS receives an NHRP Resolution Request with an NHRP
Device Capability Extension included, it returns an NHRP Resolution
Reply with an indication of whether the destination is VPN-aware by
correctly setting the target capabilities flag [see Section 4.2].
If an egress NHS receives an NHRP Resolution Request without an NHRP
Device Capability Extension included or with the source capabilities
flag indicating that the source NHRP device is non-VPN-aware, it MAY
act in one of the following ways:
Fox & Petri Standards Track [Page 5]
^L
RFC 2735 NHRP Support for Virtual Private Networks December 1999
- It MAY reject the NHRP Resolution Request; this is because the
VPN-aware destination will be unable to determine the context
of information received on an NBMA shortcut from a non-VPN-
aware NHRP source. This is the default case.
- If the destination is also non-VPN-aware, it MAY accept the
request and return an NHRP Resolution Reply. By default, the
two non-VPN-aware NHRP clients will interact correctly.
- It MAY offer itself as a destination and resolve the request
using its own NBMA address, if it has the related capabilities.
- If the indicated VPN-ID identifies the default routing instance
of the destination, the NHS MAY accept the request and send a
corresponding NHRP Resolution Reply.
The NHRP Device Capabilities extension SHOULD NOT be included in the
NHRP Register Request and Reply messages.
3.4 Error handling procedures
If an NHRP entity receives a PDU with a VPN-ID indicated via VPN
encapsulation which is in conflict to a VPN-ID earlier allocated to
that communication (e.g. via VPN signalling or administratively via
configuration), it SHOULD send back an NHRP error indication (see
5.2.7 of [1]) to the sender indicating error code 16 (VPN mismatch).
However, in order to avoid certain security issues, an NHRP entity
MAY instead silently drop the packet.
If a VPN-aware NHRP entity receives a packet for a VPN that it does
not support, it SHOULD send back an NHRP error indication to the
sender with an error code 17 (VPN not supported). However, in order
to avoid certain security issues, an NHRP entity MAY instead silently
drop the packet.
If a VPN-aware NHS cannot find a route to forward a VPN-related NHRP
message, it SHOULD send back an NHRP error indication to the sender
with error code 6 (protocol address unreachable). However, in order
to avoid certain security issues, an NHRP entity MAY instead silently
drop the packet.
In all cases, where an NHRP error indication is returned by a VPN-
aware NHRP entity, the incorrect VPN-ID related to this indication
SHALL be indicated via VPN encapsulation or VPN signalling, except
when sending it to a non-VPN-aware NHRP device (see 3.1 / 3.2 above).
Fox & Petri Standards Track [Page 6]
^L
RFC 2735 NHRP Support for Virtual Private Networks December 1999
4. NHRP Packet Formats
4.1 VPN encapsulation
The format of the VPN encapsulation header is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0xAA | 0xAA | 0x03 | 0x00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x00 | 0x5E | 0x00 | 0x08 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PAD | OUI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VPN Index |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LLC encapsulated PDU (up to 2^16 - 16 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
It consists of the following parts:
- LLC/SNAP indication (0xAA-AA-03)
- OUI (of IANA) (0x00-00-5E)
- PID allocated by IANA for VPN encapsulation (0x00-08)
- PAD field (inserted for 32-bit alignment)
this field is coded as 0x00, and is ignored on receipt
- VPN related OUI (see [3])
- VPN Index (see [3]).
When this encapsulation header is used, the remainder of the PDU MUST
be structured according to the appropriate LLC/SNAP format (i.e. that
would have been used without the additional VPN encapsulation
header). Correspondingly, the following figure shows how NHRP
messages are transferred using VPN encapsulation:
Fox & Petri Standards Track [Page 7]
^L
RFC 2735 NHRP Support for Virtual Private Networks December 1999
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0xAA | 0xAA | 0x03 | 0x00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x00 | 0x5E | 0x00 | 0x08 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PAD | OUI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VPN Index |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0xAA | 0xAA | 0x03 | 0x00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x00 | 0x5E | 0x00 | 0x03 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NHRP message |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The following example shows how IP packets are transferred by VPN
encapsulation:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0xAA | 0xAA | 0x03 | 0x00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x00 | 0x5E | 0x00 | 0x08 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PAD | OUI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VPN Index |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0xAA | 0xAA | 0x03 | 0x00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x00 | 0x00 | 0x08 | 0x00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IP PDU (up to 2^16 - 24 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fox & Petri Standards Track [Page 8]
^L
RFC 2735 NHRP Support for Virtual Private Networks December 1999
4.2 NHRP device capabilities extension
The format of the NHRP device capabilities extension is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|C|u| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Capabilities |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Target Capabilities |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
C: Compulsory = 0 (not a compulsory extension)
u: Unused and MUST be set to zero.
Type = 0x0009
Length = 0x0008
Source Capabilities field:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| unused |V|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
V bit:
0x0 - the source NHRP device is non-VPN-aware
0x1 - the source NHRP device is VPN-aware
The unused bits MUST be set to zero on transmission
and ignored on receipt.
Fox & Petri Standards Track [Page 9]
^L
RFC 2735 NHRP Support for Virtual Private Networks December 1999
Target Capabilities field:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| unused |V|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
V bit:
0x0 - the destination NHRP device is non-VPN-aware
0x1 - the destination NHRP device is VPN-aware
The unused bits MUST be set to zero on transmission
and ignored on receipt.
4.3 Error Codes
The following further Error Codes are defined in addition to those
specified in section 5.2.7 of [1]):
16 - VPN mismatch
This error code is returned by a VPN-capable NHRP device, if it
receives a PDU with a VPN-ID in the LLC/SNAP header different
from the VPN-ID which had been specified earlier via VPN
signalling.
17 - VPN not supported
This error code is returned by a VPN-capable NHRP device, if it
receives an NHRP message for a VPN that it does not support.
5. Security Considerations
For any VPN application, it is important that VPN-related information
is not misdirected to other VPNs and is not accessible when being
transferred across a public or shared infrastructure. It is therefore
RECOMMENDED to use the VPN support functions specified in this
document in combination with NHRP authentication as specified in
section 5.3.4 of [1]. Section 5.3.4.4 of [1] also provides further
information on general security considerations related to NHRP.
In cases where the NHRP entity does not trust all of the NHRP
entities, or is uncertain about the availability of the end-to-end
NHRP authentication chain, it may use IPsec for confidentiality,
integrity, etc.
Fox & Petri Standards Track [Page 10]
^L
RFC 2735 NHRP Support for Virtual Private Networks December 1999
6. IANA Considerations
The LLC/SNAP protocol ID 0x00-08 for VPN encapsulation had already
been allocated by IANA in conjunction with [2]. This specification
does not require the allocation of any additional LLC/SNAP protocol
IDs beyond that.
It should be noted that IANA - as the owner of the VPN-related OUI:
0x00-00-5E - is itself also a VPN authority which may allocate VPN
indices to identify VPNs. The use of these particular VPN indices
within the context of this specification is reserved, and requires
allocation and approval by the IESG in accordance with RFC 2434.
References
[1] Luciani, J., Katz, D., Piscitello, D., Cole, B. and N. Doraswamy,
"NMBA Next Hop Resolution Protocol (NHRP)", RFC 2332, April 1998.
[2] Grossman, D. and J. Heinanen, "Multiprotocol Encapsulation over
ATM Adaptation Layer 5", RFC 2684, September 1999.
[3] Fox, B. and B. Gleeson, "Virtual Private Networks Identifier",
RFC 2685, September 1999.
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
Authors' Addresses
Barbara A. Fox
Equipe Communications
100 Nagog Park
Acton, MA 01720
Phone: +1-978-795-2009
EMail: bfox@equipecom.com
Bernhard Petri
Siemens AG
Hofmannstr. 51
Munich, Germany, D-81359
Phone: +49 89 722-34578
EMail: bernhard.petri@icn.siemens.de
Fox & Petri Standards Track [Page 11]
^L
RFC 2735 NHRP Support for Virtual Private Networks December 1999
Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Fox & Petri Standards Track [Page 12]
^L
|