1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
|
Internet Engineering Task Force (IETF) B. Davie
Request for Comments: 6016 F. Le Faucheur
Category: Standards Track A. Narayanan
ISSN: 2070-1721 Cisco Systems, Inc.
October 2010
Support for the Resource Reservation Protocol (RSVP) in Layer 3 VPNs
Abstract
RFC 4364 and RFC 4659 define an approach to building provider-
provisioned Layer 3 VPNs (L3VPNs) for IPv4 and IPv6. It may be
desirable to use Resource Reservation Protocol (RSVP) to perform
admission control on the links between Customer Edge (CE) routers and
Provider Edge (PE) routers. This document specifies procedures by
which RSVP messages traveling from CE to CE across an L3VPN may be
appropriately handled by PE routers so that admission control can be
performed on PE-CE links. Optionally, admission control across the
provider's backbone may also be supported.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6016.
Davie, et al. Standards Track [Page 1]
^L
RFC 6016 RSVP for L3VPNs October 2010
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Davie, et al. Standards Track [Page 2]
^L
RFC 6016 RSVP for L3VPNs October 2010
Table of Contents
1. Introduction ....................................................4
1.1. Terminology ................................................5
1.2. Requirements Language ......................................5
2. Problem Statement ...............................................5
2.1. Model of Operation .........................................8
3. Admission Control on PE-CE Links ................................9
3.1. New Objects of Type VPN-IPv4 ...............................9
3.2. Path Message Processing at Ingress PE .....................11
3.3. Path Message Processing at Egress PE ......................12
3.4. Resv Processing at Egress PE ..............................13
3.5. Resv Processing at Ingress PE .............................13
3.6. Other RSVP Messages .......................................14
4. Admission Control in Provider's Backbone .......................14
5. Inter-AS Operation .............................................15
5.1. Inter-AS Option A .........................................15
5.2. Inter-AS Option B .........................................15
5.2.1. Admission Control on ASBR ..........................16
5.2.2. No Admission Control on ASBR .......................16
5.3. Inter-AS Option C .........................................17
6. Operation with RSVP Disabled ...................................17
7. Other RSVP Procedures ..........................................18
7.1. Refresh Overhead Reduction ................................18
7.2. Cryptographic Authentication ..............................18
7.3. RSVP Aggregation ..........................................19
7.4. Support for CE-CE RSVP-TE .................................19
8. Object Definitions .............................................20
8.1. VPN-IPv4 and VPN-IPv6 SESSION Objects .....................20
8.2. VPN-IPv4 and VPN-IPv6 SENDER_TEMPLATE Objects .............21
8.3. VPN-IPv4 and VPN-IPv6 FILTER_SPEC Objects .................22
8.4. VPN-IPv4 and VPN-IPv6 RSVP_HOP Objects ....................22
8.5. Aggregated VPN-IPv4 and VPN-IPv6 SESSION Objects ..........24
8.6. AGGREGATE-VPN-IPv4 and AGGREGATE-VPN-IPv6
SENDER_TEMPLATE Objects ...................................26
8.7. AGGREGATE-VPN-IPv4 and AGGREGATE-VPN-IPv6
FILTER_SPEC Objects .......................................27
9. IANA Considerations ............................................28
10. Security Considerations .......................................30
11. Acknowledgments ...............................................33
Appendix A. Alternatives Considered .............................34
A.1. GMPLS UNI Approach ........................................34
A.2. Label Switching Approach ..................................34
A.3. VRF Label Approach ........................................34
A.4. VRF Label Plus VRF Address Approach .......................35
References ........................................................35
Normative References ...........................................35
Informative References .........................................36
Davie, et al. Standards Track [Page 3]
^L
RFC 6016 RSVP for L3VPNs October 2010
1. Introduction
[RFC4364] and [RFC4659] define a Layer 3 VPN service known as BGP/
MPLS VPNs for IPv4 and for IPv6, respectively. [RFC2205] defines the
Resource Reservation Protocol (RSVP), which may be used to perform
admission control as part of the Integrated Services (Int-Serv)
architecture [RFC1633][RFC2210].
Customers of a Layer 3 VPN service may run RSVP for the purposes of
admission control (and associated resource reservation) in their own
networks. Since the links between Provider Edge (PE) and Customer
Edge (CE) routers in a Layer 3 VPN may often be resource constrained,
it may be desirable to be able to perform admission control over
those links. In order to perform admission control using RSVP in
such an environment, it is necessary that RSVP control messages, such
as Path messages and Resv messages, are appropriately handled by the
PE routers. This presents a number of challenges in the context of
BGP/MPLS VPNs:
o RSVP Path message processing depends on routers recognizing the
Router Alert Option ([RFC2113], [RFC2711]) in the IP header.
However, packets traversing the backbone of a BGP/MPLS VPN are
MPLS encapsulated, and thus the Router Alert Option may not be
visible to the egress PE due to implementation or policy
considerations (e.g., if the egress PE processes the message as
"pop and go" without examining the IP header).
o BGP/MPLS VPNs support non-unique addressing of customer networks.
Thus, a PE at the ingress or egress of the provider backbone may
be called upon to process Path messages from different customer
VPNs with non-unique destination addresses within the RSVP
message. Current mechanisms for identifying customer context from
data packets are incompatible with RSVP message processing rules.
o A PE at the ingress of the provider's backbone may receive Resv
messages corresponding to different customer VPNs from other PEs,
and needs to be able to associate those Resv messages with the
appropriate customer VPNs.
Further discussion of these issues is presented in Section 2.
This document describes a set of procedures to overcome these
challenges and thus to enable admission control using RSVP over the
PE-CE links. We note that similar techniques may be applicable to
other protocols used for admission control such as the combination of
the NSIS Signaling Layer Protocol (NSLP) for Quality-of-Service (QoS)
Signaling [RFC5974] and General Internet Signaling Transport (GIST)
protocol [RFC5971].
Davie, et al. Standards Track [Page 4]
^L
RFC 6016 RSVP for L3VPNs October 2010
Additionally, it may be desirable to perform admission control over
the provider's backbone on behalf of one or more L3VPN customers.
Core (P) routers in a BGP/MPLS VPN do not have forwarding entries for
customer routes, and thus they cannot natively process RSVP messages
for customer flows. Also, the core is a shared resource that carries
traffic for many customers, so issues of resource allocation among
customers and trust (or lack thereof) also ought to be addressed.
This document specifies procedures for supporting such a scenario.
This document deals with establishing reservations for unicast flows
only. Because the support of multicast traffic in BGP/MPLS VPNs is
still evolving, and raises additional challenges for admission
control, we leave the support of multicast flows for further study at
this point.
1.1. Terminology
This document draws freely on the terminology defined in [RFC2205]
and [RFC4364]. For convenience, we provide a few brief definitions
here:
o Customer Edge (CE) Router: Router at the edge of a customer site
that attaches to the network of the VPN provider.
o Provider Edge (PE) Router: Router at the edge of the service
provider's network that attaches to one or more customer sites.
o VPN Label: An MPLS label associated with a route to a customer
prefix in a VPN (also called a VPN route label).
o VPN Routing and Forwarding (VRF) Table: A PE typically has
multiple VRFs, enabling it to be connected to CEs that are in
different VPNs.
1.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Problem Statement
The problem space of this document is the support of admission
control between customer sites when the customer subscribes to a BGP/
MPLS VPN. We subdivide the problem into (a) the problem of admission
control on the PE-CE links (in both directions) and (b) the problem
of admission control across the provider's backbone.
Davie, et al. Standards Track [Page 5]
^L
RFC 6016 RSVP for L3VPNs October 2010
RSVP Path messages are normally addressed to the destination of a
session, and contain the Router Alert Option (RAO) within the IP
header. Routers along the path to the destination that are
configured to process RSVP messages need to detect the presence of
the RAO to allow them to intercept Path messages. However, the
egress PEs of a network supporting BGP/MPLS VPNs receive packets
destined for customer sites as MPLS-encapsulated packets, and they
possibly forward those based only on examination of the MPLS label.
In order to process RSVP Path messages, the egress VPN PE would have
to pop the VPN label and examine the IP header underneath, before
forwarding the packet (based on the VPN label disposition rules),
which is not a requirement for data packet processing today. Hence,
a Path message would be forwarded without examination of the IP
options and would therefore not receive appropriate processing at the
PE. Another potential issue is doing Connection Admission Control
(CAC) at an Autonomous System Border Router (ASBR). Even an
implementation that examines the IP header when removing the VPN
label (e.g., PE-CE link) would not be able to do CAC at an Option-B
ASBR; that requires examining the (interior) IP header while doing a
label swap, which is much less desirable behavior.
In general, there are significant issues with requiring support for
IP Router Alert outside of a controlled, "walled-garden" network, as
described in [ALERT-USAGE]. The case of a MPLS L3VPN falls under the
"Overlay Model" described therein. Fundamental to this model is that
providers would seek to eliminate the requirement to process RAO-
marked packets from customers, on any routers except the PEs facing
those customers. Issues with requiring interior MPLS routers to
process RAO-marked packets are also described in [LER-OPTIONS]. The
approach for RSVP packet handling described in this document has the
advantage of being independent of any data-plane requirements such as
IP Router Alert support within the VPN or examining any IP options
for MPLS-encapsulated packets. The only requirement for processing
IP Router Alert packets is for RSVP packets received from the CE,
which do not carry any MPLS encapsulation.
For the PE-CE link subproblem, the most basic challenge is that RSVP
control messages contain IP addresses that are drawn from the
customer's address space, and PEs need to deal with traffic from many
customers who may have non-unique (or overlapping) address spaces.
Thus, it is essential that a PE be able, in all cases, to identify
the correct VPN context in which to process an RSVP control message.
The current mechanism for identifying the customer context is the VPN
label, which is carried in an MPLS header outside of the RSVP
message. This is divergent from the general RSVP model of session
identification ([RFC2205], [RFC2209]), which relies solely on RSVP
objects to identify sessions. Further, it is incompatible with
protocols like COPS/RSVP (Common Open Policy Service) ([RFC2748],
Davie, et al. Standards Track [Page 6]
^L
RFC 6016 RSVP for L3VPNs October 2010
[RFC2749]), which replace the IP encapsulation of the RSVP message
and send only RSVP objects to a COPS server. We believe it is
important to retain the model of completely identifying an RSVP
session from the contents of RSVP objects. Much of this document
deals with this issue.
For the case of making reservations across the provider backbone, we
observe that BGP/MPLS VPNs do not create any per-customer forwarding
state in the P (provider core) routers. Thus, in order to make
reservations on behalf of customer-specified flows, it is clearly
necessary to make some sort of aggregated reservation from PE-PE and
then map individual, customer-specific reservations onto an aggregate
reservation. That is similar to the problem tackled in [RFC3175] and
[RFC4804], with the additional complications of handling customer-
specific addressing associated with BGP/MPLS VPNs.
Consider the case where an MPLS VPN customer uses RSVP signaling
across his sites for resource reservation and admission control.
Let's further assume that, initially, RSVP is not processed through
the MPLS VPN cloud (i.e., RSVP messages from the sender to the
receiver travel transparently from CE to CE). In that case, RSVP
allows the establishment of resource reservations and admission
control on a subset of the flow path (from sender to ingress CE, and
from the RSVP router downstream of the egress CE to the receiver).
If admission control is then activated on any of the CE-PE link, the
provider's backbone, or PE-CE link (as allowed by the present
document), the customer will benefit from an extended coverage of
admission control and resource reservation: the resource reservation
will now span over a bigger subset of (and possibly the whole) flow
path, which in turn will increase the QoS granted to the
corresponding flow. Specific flows whose reservation is successful
through admission control on the newly enabled segments will indeed
benefit from this quality of service enhancement. However, it must
be noted that, in case there are not enough resources on one (or
more) of the newly enabled segments (e.g., say admission control is
enabled on a given PE-->CE link and there is not enough capacity on
that link to admit all reservations for all the flows traversing that
link), then some flows will not be able to maintain, or establish,
their reservation. While this may appear undesirable for these
flows, we observe that this only occurs if there is indeed a lack of
capacity on a segment, and that in the absence of admission control,
all flows would be established but would all suffer from the
resulting congestion on the bottleneck segment. We also observe
that, in the case of such a lack of capacity, admission control
allows enforcement of controlled and flexible policies (so that, for
example, more important flows can be granted higher priority at
Davie, et al. Standards Track [Page 7]
^L
RFC 6016 RSVP for L3VPNs October 2010
reserving resources). We note also that flows are given a chance to
establish smaller reservations so that the aggregate load can adapt
dynamically to the bottleneck capacity.
2.1. Model of Operation
Figure 1 illustrates the basic model of operation with which this
document is concerned.
--------------------------
/ Provider \
|----| | Backbone | |----|
Sender->| CE1| |-----| |-----| |CE2 |->Receiver
| |--| | |---| |---| | |---| |
|----| | | | P | | P | | | |----|
| PE1 |---| |-----| |-----| PE2 |
| | | | | | | |
| | |---| |---| | |
|-----| |-----|
| |
\ /
--------------------------
Figure 1. Model of Operation for RSVP-Based Admission
Control over MPLS/BGP VPN
To establish a unidirectional reservation for a point-to-point flow
from Sender to Receiver that takes account of resource availability
on the CE-PE and PE-CE links only, the following steps need to take
place:
1. The Sender sends a Path message to an IP address of the
Receiver.
2. The Path message is processed by CE1 using normal RSVP
procedures and forwarded towards the Receiver along the link
CE1-PE1.
3. PE1 processes the Path message and forwards it towards the
Receiver across the provider backbone.
4. PE2 processes the Path message and forwards it towards the
Receiver along link PE2-CE2.
5. CE2 processes the Path message using normal RSVP procedures and
forwards it towards the Receiver.
6. The Receiver sends a Resv message to CE2.
Davie, et al. Standards Track [Page 8]
^L
RFC 6016 RSVP for L3VPNs October 2010
7. CE2 sends the Resv message to PE2.
8. PE2 processes the Resv message (including performing admission
control on link PE2-CE2) and sends the Resv message to PE1.
9. PE1 processes the Resv message and sends the Resv message to
CE1.
10. CE1 processes the Resv message using normal RSVP procedures,
performs admission control on the link CE1-PE1, and sends the
Resv message to the Sender if successful.
In each of the steps involving Resv messages (6 through 10) the node
sending the Resv message uses the previously established Path state
to determine the "RSVP Previous Hop (PHOP)" and sends a Resv message
to that address. We note that establishing that Path state correctly
at PEs is one of the challenges posed by the BGP/MPLS environment.
3. Admission Control on PE-CE Links
In the following sections, we trace through the steps outlined in
Section 2.1 and expand on the details for those steps where standard
RSVP procedures need to be extended or modified to support the BGP/
MPLS VPN environment. For all the remaining steps described in the
preceding section, standard RSVP processing rules apply.
All the procedures described below support both IPv4 and IPv6
addressing. In all cases where IPv4 is referenced, IPv6 can be
substituted with identical procedures and results. Object
definitions for both IPv4 and IPv6 are provided in Section 8.
3.1. New Objects of Type VPN-IPv4
For RSVP signaling within a VPN, certain RSVP objects need to be
extended. Since customer IP addresses need not be unique, the
current types of SESSION, SENDER_TEMPLATE, and FILTERSPEC objects are
no longer sufficient to globally identify RSVP states in P/PE
routers, since they are currently based on IP addresses. We propose
new types of SESSION, SENDER_TEMPLATE, and FILTERSPEC objects, which
contain globally unique VPN-IPv4 format addresses. The ingress and
egress PE nodes translate between the regular IPv4 addresses for
messages to and from the CE, and VPN-IPv4 addresses for messages to
and from PE routers. The rules for this translation are described in
later sections.
Davie, et al. Standards Track [Page 9]
^L
RFC 6016 RSVP for L3VPNs October 2010
The RSVP_HOP object in an RSVP message currently specifies an IP
address to be used by the neighboring RSVP hop to reply to the
message sender. However, MPLS VPN PE routers (especially those
separated by Option-B ASBRs) are not required to have direct IP
reachability to each other. To solve this issue, we propose the use
of label switching to forward RSVP messages between nodes within an
MPLS VPN. This is achieved by defining a new VPN-IPv4 RSVP_HOP
object. Use of the VPN-IPv4 RSVP_HOP object enables any two adjacent
RSVP hops in an MPLS VPN (e.g., a PE in Autonomous System (AS) 1 and
a PE in AS2) to correctly identify each other and send RSVP messages
directly to each other.
The VPN-IPv4 RSVP_HOP object carries the IPv4 address of the message
sender and a Logical Interface Handle (LIH) as before, but in
addition carries a VPN-IPv4 address that also represents the sender
of the message. The message sender MUST also advertise this VPN-IPv4
address into BGP, associated with a locally allocated label, and this
advertisement MUST be propagated by BGP throughout the VPN and to
adjacent ASes if required to provide reachability to this PE. Frames
received by the PE marked with this label MUST be given to the local
control plane for processing. When a neighboring RSVP hop wishes to
reply to a message carrying a VPN-IPv4 RSVP_HOP, it looks for a BGP
advertisement of the VPN-IPv4 address contained in that RSVP_HOP. If
this address is found and carries an associated label, the
neighboring RSVP node MUST encapsulate the RSVP message with this
label and send it via MPLS encapsulation to the BGP next hop
associated with the route. The destination IP address of the message
is taken from the IP address field of the RSVP_HOP object, as
described in [RFC2205]. Additionally, the IPv4 address in the
RSVP_HOP object continues to be used for all other existing purposes,
including neighbor matching between Path/Resv and SRefresh messages
[RFC2961], authentication [RFC2747], etc.
The VPN-IPv4 address used in the VPN-IPv4 RSVP_HOP object MAY
represent an existing address in the VRF that corresponds to the flow
(e.g., a local loopback or PE-CE link address within the VRF for this
customer), or it MAY be created specially for this purpose. In the
case where the address is specially created for RSVP signaling (and
possibly other control protocols), the BGP advertisement MUST NOT be
redistributed to, or reachable by, any CEs outside the MPLS VPN. One
way to achieve this is by creating a special "control protocols VPN"
with VRF state on every PE/ASBR, carrying route targets not imported
into customer VRFs. In the case where a customer VRF address is used
as the VPN-IPv4 address, a VPN-IPv4 address in one customer VRF MUST
NOT be used to signal RSVP messages for a flow in a different VRF.
Davie, et al. Standards Track [Page 10]
^L
RFC 6016 RSVP for L3VPNs October 2010
If a PE/ASBR is sending a Path message to another PE/ASBR within the
VPN, and it has any appropriate VPN-IPv4 address for signaling that
satisfies the requirements outlined above, it MUST use a VPN-IPv4
RSVP_HOP object with this address for all RSVP messages within the
VPN. If a PE/ASBR does not have any appropriate VPN-IPv4 address to
use for signaling, it MAY send the Path message with a regular IPv4
RSVP_HOP object. In this case, the reply will be IP encapsulated.
This option is not preferred because there is no guarantee that the
neighboring RSVP hop has IP reachability to the sending node. If a
PE/ASBR receives or originates a Path message with a VPN-IPv4
RSVP_HOP object, any RSVP_HOP object in corresponding upstream
messages for this flow (e.g., Resv, ResvTear) or downstream messages
(e.g., ResvError, PathTear) sent by this node within the VPN MUST be
a VPN-IPv4 RSVP_HOP.
3.2. Path Message Processing at Ingress PE
When a Path message arrives at the ingress PE (step 3 of Section 2.1)
the PE needs to establish suitable Path state and forward the Path
message on to the egress PE. In the following paragraphs, we
described the steps taken by the ingress PE.
The Path message is addressed to the eventual destination (the
receiver at the remote customer site) and carries the IP Router Alert
Option, in accordance with [RFC2205]. The ingress PE MUST recognize
the Router Alert Option, intercept these messages and process them as
RSVP signaling messages.
As noted above, there is an issue in recognizing Path messages as
they arrive at the egress PE (PE2 in Figure 1). The approach defined
here is to address the Path messages sent by the ingress PE directly
to the egress PE, and send it without the IP Router Alert Option;
that is, rather than using the ultimate receiver's destination
address as the destination address of the Path message, we use the
loopback address of the egress PE as the destination address of the
Path message. This approach has the advantage that it does not
require any new data-plane capabilities for the egress PE beyond
those of a standard BGP/MPLS VPN PE. Details of the processing of
this message at the egress PE are described below in Section 3.3.
The approach of addressing a Path message directly to an RSVP next
hop (that may or may not be the next IP hop) is already used in other
environments such as those of [RFC4206] and [RFC4804].
The details of operation at the ingress PE are as follows. When the
ingress PE (PE1 in Figure 1) receives a Path message from CE1 that is
addressed to the receiver, the VRF that is associated with the
incoming interface is identified, just as for normal data path
operations. The Path state for the session is stored, and is
Davie, et al. Standards Track [Page 11]
^L
RFC 6016 RSVP for L3VPNs October 2010
associated with that VRF, so that potentially overlapping addresses
among different VPNs do not appear to belong to the same session.
The destination address of the receiver is looked up in the
appropriate VRF, and the BGP next hop for that destination is
identified. That next hop is the egress PE (PE2 in Figure 1). A new
VPN-IPv4 SESSION object is constructed, containing the Route
Distinguisher (RD) that is part of the VPN-IPv4 route prefix for this
destination, and the IPv4 address from the SESSION. In addition, a
new VPN-IPv4 SENDER_TEMPLATE object is constructed, with the original
IPv4 address from the incoming SENDER_TEMPLATE plus the RD that is
used by this PE to advertise that prefix for this customer into the
VPN. A new Path message is constructed with a destination address
equal to the address of the egress PE identified above. This new
Path message will contain all the objects from the original Path
message, replacing the original SESSION and SENDER_TEMPLATE objects
with the new VPN-IPv4 type objects. The Path message is sent without
the Router Alert Option and contains an RSVP_HOP object constructed
as specified in Section 3.1.
3.3. Path Message Processing at Egress PE
When a Path message arrives at the egress PE, (step 4 of Section 2.1)
it is addressed to the PE itself, and is handed to RSVP for
processing. The router extracts the RD and IPv4 address from the
VPN-IPv4 SESSION object, and determines the local VRF context by
finding a matching VPN-IPv4 prefix with the specified RD that has
been advertised by this router into BGP. The entire incoming RSVP
message, including the VRF information, is stored as part of the Path
state.
Now the RSVP module can construct a Path message that differs from
the Path it received in the following ways:
a. Its destination address is the IP address extracted from the
SESSION object;
b. The SESSION and SENDER_TEMPLATE objects are converted back to
IPv4-type by discarding the attached RD;
c. The RSVP_HOP Object contains the IP address of the outgoing
interface of the egress PE and a Logical Interface Handle (LIH),
as per normal RSVP processing.
The router then sends the Path message on towards its destination
over the interface identified above. This Path message carries the
Router Alert Option as required by [RFC2205].
Davie, et al. Standards Track [Page 12]
^L
RFC 6016 RSVP for L3VPNs October 2010
3.4. Resv Processing at Egress PE
When a receiver at the customer site originates a Resv message for
the session, normal RSVP procedures apply until the Resv, making its
way back towards the sender, arrives at the "egress" PE (step 8 of
Section 2.1). Note that this is the "egress" PE with respect to the
direction of data flow, i.e., PE2 in Figure 1. On arriving at PE2,
the SESSION and FILTER_SPEC objects in the Resv, and the VRF in which
the Resv was received, are used to find the matching Path state
stored previously. At this stage, admission control can be performed
on the PE-CE link.
Assuming admission control is successful, the PE constructs a Resv
message to send to the RSVP previous hop stored in the Path state,
i.e., the ingress PE (PE1 in Figure 1). The IPv4 SESSION object is
replaced with the same VPN-IPv4 SESSION object received in the Path.
The IPv4 FILTER_SPEC object is replaced with a VPN-IPv4 FILTER_SPEC
object, which copies the VPN-IPv4 address from the SENDER_TEMPLATE
received in the matching Path message. The RSVP_HOP in the Resv
message MUST be constructed as specified in Section 3.1. The Resv
message MUST be addressed to the IP address contained within the
RSVP_HOP object in the Path message. If the Path message contained a
VPN-IPv4 RSVP_HOP object, the Resv MUST be MPLS encapsulated using
the label associated with that VPN-IPv4 address in BGP, as described
in Section 3.1. If the Path message contained an IPv4 RSVP_HOP
object, the Resv is simply IP encapsulated and addressed directly to
the IP address in the RSVP_HOP object.
If admission control is not successful on the egress PE, a ResvError
message is sent towards the receiver as per normal RSVP processing.
3.5. Resv Processing at Ingress PE
Upon receiving a Resv message at the ingress PE (step 8 of
Section 2.1) with respect to data flow (i.e., PE1 in Figure 1), the
PE determines the local VRF context and associated Path state for
this Resv by decoding the received SESSION and FILTER_SPEC objects.
It is now possible to generate a Resv message to send to the
appropriate CE. The Resv message sent to the ingress CE will contain
IPv4 SESSION and FILTER_SPEC objects, derived from the appropriate
Path state. Since we assume, in this section, that admission control
over the provider's backbone is not needed, the ingress PE does not
perform any admission control for this reservation.
Davie, et al. Standards Track [Page 13]
^L
RFC 6016 RSVP for L3VPNs October 2010
3.6. Other RSVP Messages
Processing of PathError, PathTear, ResvError, ResvTear, and ResvConf
messages is generally straightforward and follows the rules of
[RFC2205]. These additional rules MUST be observed for messages
transmitted within the VPN (i.e., between the PEs):
o The SESSION, SENDER_TEMPLATE, and FILTER_SPEC objects MUST be
converted from IPv4 to VPN-IPv4 form and back in the same manner
as described above for Path and Resv messages.
o The appropriate type of RSVP_HOP object (VPN-IPv4 or IPv4) MUST be
used as described above.
o Depending on the type of RSVP_HOP object received from the
neighbor, the message MUST be MPLS encapsulated or IP encapsulated
as described above.
o The matching state and VRF MUST be determined by decoding the RD
and IPv4 addresses in the SESSION and FILTER_SPEC objects.
o The message MUST be directly addressed to the appropriate PE,
without using the Router Alert Option.
4. Admission Control in Provider's Backbone
The preceding section outlines how per-customer reservations can be
made over the PE-CE links. This may be sufficient in many situations
where the backbone is well engineered with ample capacity and there
is no need to perform any sort of admission control in the backbone.
However, in some cases where excess capacity cannot be relied upon
(e.g., during failures or unanticipated periods of overload), it may
be desirable to be able to perform admission control in the backbone
on behalf of customer traffic.
Because of the fact that routes to customer addresses are not present
in the P routers, along with the concerns of scalability that would
arise if per-customer reservations were allowed in the P routers, it
is clearly necessary to map the per-customer reservations described
in the preceding section onto some sort of aggregate reservations.
Furthermore, customer data packets need to be tunneled across the
provider backbone just as in normal BGP/MPLS VPN operation.
Given these considerations, a feasible way to achieve the objective
of admission control in the backbone is to use the ideas described in
[RFC4804]. MPLS-TE tunnels can be established between PEs as a means
to perform aggregate admission control in the backbone.
Davie, et al. Standards Track [Page 14]
^L
RFC 6016 RSVP for L3VPNs October 2010
An MPLS-TE tunnel from an ingress PE to an egress PE can be thought
of as a virtual link of a certain capacity. The main change to the
procedures described above is that when a Resv is received at the
ingress PE, an admission control decision can be performed by
checking whether sufficient capacity of that virtual link remains
available to admit the new customer reservation. We note also that
[RFC4804] uses the IF_ID RSVP_HOP object to identify the tunnel
across the backbone, rather than the simple RSVP_HOP object described
in Section 3.2. The procedures of [RFC4804] should be followed here
as well.
To achieve effective admission control in the backbone, there needs
to be some way to separate the data-plane traffic that has a
reservation from that which does not. We assume that packets that
are subject to admission control on the core will be given a
particular MPLS EXP value, and that no other packets will be allowed
to enter the core with this value unless they have passed admission
control. Some fraction of link resources will be allocated to queues
on core links for packets bearing that EXP value, and the MPLS-TE
tunnels will use that resource pool to make their constraint-based
routing and admission control decisions. This is all consistent with
the principles of aggregate RSVP reservations described in [RFC3175].
5. Inter-AS Operation
[RFC4364] defines three modes of inter-AS operation for MPLS/BGP
VPNs, referred to as Options A, B, and C. In the following sections
we describe how the scheme described above can operate in each
inter-AS environment.
5.1. Inter-AS Option A
Operation of RSVP in Inter-AS Option A is quite straightforward.
Each ASBR operates like a PE, and the ASBR-ASBR links can be viewed
as PE-CE links in terms of admission control. If the procedures
defined in Section 3 are enabled on both ASBRs, then admission
control may be performed on the inter-ASBR links. In addition, the
operator of each AS can independently decide whether or not to
perform admission control across his backbone. The new objects
described in this document MUST NOT be sent in any RSVP message
between two Option-A ASBRs.
5.2. Inter-AS Option B
To support inter-AS Option B, we require some additional processing
of RSVP messages on the ASBRs. Recall that, when packets are
forwarded from one AS to another in Option B, the VPN label is
swapped by each ASBR as a packet goes from one AS to another. The
Davie, et al. Standards Track [Page 15]
^L
RFC 6016 RSVP for L3VPNs October 2010
BGP next hop seen by the ingress PE will be the ASBR, and there need
not be IP visibility between the ingress and egress PEs. Hence, when
the ingress PE sends the Path message to the BGP next hop of the VPN-
IPv4 route towards the destination, it will be received by the ASBR.
The ASBR determines the next hop of the route in a similar way as the
ingress PE -- by finding a matching BGP VPN-IPv4 route with the same
RD and a matching prefix.
The provider(s) who interconnect ASes using Option B may or may not
desire to perform admission control on the inter-AS links. This
choice affects the detailed operation of ASBRs. We describe the two
modes of operation -- with and without admission control at the ASBRs
-- in the following sections.
5.2.1. Admission Control on ASBR
In this scenario, the ASBR performs full RSVP signaling and admission
control. The RSVP database is indexed on the ASBR using the VPN-IPv4
SESSION, SENDER_TEMPLATE, and FILTER_SPEC objects (which uniquely
identify RSVP sessions and flows as per the requirements of
[RFC2205]). These objects are forwarded unmodified in both
directions by the ASBR. All other procedures of RSVP are performed
as if the ASBR was an RSVP hop. In particular, the RSVP_HOP objects
sent in Path and Resv messages contain IP addresses of the ASBR,
which MUST be reachable by the neighbor to whom the message is being
sent. Note that since the VPN-IPv4 SESSION, SENDER_TEMPLATE, and
FILTER_SPEC objects satisfy the uniqueness properties required for an
RSVP database implementation as per [RFC2209], no customer VRF
awareness is required on the ASBR.
5.2.2. No Admission Control on ASBR
If the ASBR is not doing admission control, it is desirable that per-
flow state not be maintained on the ASBR. This requires adjacent
RSVP hops (i.e., the ingress and egress PEs of the respective ASes)
to send RSVP messages directly to each other. This is only possible
if they are MPLS encapsulated. The use of the VPN-IPv4 RSVP_HOP
object described in Section 3.1 is REQUIRED in this case.
When an ASBR that is not installing local RSVP state receives a Path
message, it looks up the next hop of the matching BGP route as
described in Section 3.2, and sends the Path message to the next hop,
without modifying any RSVP objects (including the RSVP_HOP). This
process is repeated at subsequent ASBRs until the Path message
arrives at a router that is installing local RSVP state (either the
ultimate egress PE, or an ASBR configured to perform admission
control). This router receives the Path and processes it as
described in Section 3.3 if it is a PE, or Section 5.2.1 if it is an
Davie, et al. Standards Track [Page 16]
^L
RFC 6016 RSVP for L3VPNs October 2010
ASBR performing admission control. When this router sends the Resv
upstream, it looks up the routing table for a next hop+label for the
VPN-IPv4 address in the PHOP, encapsulates the Resv with that label,
and sends it upstream. This message will be received for control
processing directly on the upstream RSVP hop (that last updated the
RSVP_HOP field in the Path message), without any involvement of
intermediate ASBRs.
The ASBR is not expected to process any other RSVP messages apart
from the Path message as described above. The ASBR also does not
need to store any RSVP state. Note that any ASBR along the path that
wishes to do admission control or insert itself into the RSVP
signaling flow may do so by writing its own RSVP_HOP object with IPv4
and VPN-IPv4 addresses pointing to itself.
If an Option-B ASBR that receives an RSVP Path message with an IPv4
RSVP_HOP does not wish to perform admission control but is willing to
install local state for this flow, the ASBR MUST process and forward
RSVP signaling messages for this flow as described in Section 5.2.1
(with the exception that it does not perform admission control). If
an Option-B ASBR receives an RSVP Path message with an IPv4 RSVP_HOP,
but does not wish to install local state or perform admission control
for this flow, the ASBR MUST NOT forward the Path message. In
addition, the ASBR SHOULD send a PathError message of Error Code
"RSVP over MPLS Problem" and Error Value "RSVP_HOP not reachable
across VPN" (see Section 9) signifying to the upstream RSVP hop that
the supplied RSVP_HOP object is insufficient to provide reachability
across this VPN. This failure condition is not expected to be
recoverable.
5.3. Inter-AS Option C
Operation of RSVP in Inter-AS Option C is also quite straightforward,
because there exists an LSP directly from ingress PE to egress PE.
In this case, there is no significant difference in operation from
the single AS case described in Section 3. Furthermore, if it is
desired to provide admission control from PE to PE, it can be done by
building an inter-AS TE tunnel and then using the procedures
described in Section 4.
6. Operation with RSVP Disabled
It is often the case that RSVP will not be enabled on the PE-CE
links. In such an environment, a customer may reasonably expect that
RSVP messages sent into the L3 VPN network should be forwarded just
like any other IP datagrams. This transparency is useful when the
customer wishes to use RSVP within his own sites or perhaps to
perform admission control on the CE-PE links (in CE->PE direction
Davie, et al. Standards Track [Page 17]
^L
RFC 6016 RSVP for L3VPNs October 2010
only), without involvement of the PEs. For this reason, a PE SHOULD
NOT discard or modify RSVP messages sent towards it from a CE when
RSVP is not enabled on the PE-CE links. Similarly a PE SHOULD NOT
discard or modify RSVP messages that are destined for one of its
attached CEs, even when RSVP is not enabled on those links. Note
that the presence of the Router Alert Option in some RSVP messages
may cause them to be forwarded outside of the normal forwarding path,
but that the guidance of this paragraph still applies in that case.
Note also that this guidance applies regardless of whether RSVP-TE is
used in some, all, or none of the L3VPN network.
7. Other RSVP Procedures
This section describes modifications to other RSVP procedures
introduced by MPLS VPNs.
7.1. Refresh Overhead Reduction
The following points ought to be noted regarding RSVP refresh
overhead reduction [RFC2961] across an MPLS VPN:
o The hop between the ingress and egress PE of a VPN is to be
considered as traversing one or more non-RSVP hops. As such, the
procedures described in Section 5.3 of [RFC2961] relating to non-
RSVP hops SHOULD be followed.
o The source IP address of a SRefresh message MUST match the IPv4
address signaled in the RSVP_HOP object contained in the
corresponding Path or Resv message. The IPv4 address in any
received VPN-IPv4 RSVP_HOP object MUST be used as the source
address of that message for this purpose.
7.2. Cryptographic Authentication
The following points ought to be noted regarding RSVP cryptographic
authentication ([RFC2747]) across an MPLS VPN:
o The IPv4 address in any received VPN-IPv4 RSVP_HOP object MUST be
used as the source address of that message for purposes of
identifying the security association.
o Forwarding of Challenge and Response messages MUST follow the same
rules as described above for hop-by-hop messages. Specifically,
if the originator of a Challenge/Response message has received a
VPN-IPv4 RSVP_HOP object from the corresponding neighbor, it MUST
use the label associated with that VPN-IPv4 address in BGP to
forward the Challenge/Response message.
Davie, et al. Standards Track [Page 18]
^L
RFC 6016 RSVP for L3VPNs October 2010
7.3. RSVP Aggregation
[RFC3175] and [RFC4860] describe mechanisms to aggregate multiple
individual RSVP reservations into a single larger reservation on the
basis of a common Differentiated Services Code Point/Per-Hop Behavior
(DSCP/PHB) for traffic classification. The following points ought to
be noted in this regard:
o The procedures described in this section apply only in the case
where the Aggregator and Deaggregator nodes are C/CE devices, and
the entire MPLS VPN lies within the Aggregation Region. The case
where the PE is also an Aggregator/Deaggregator is more complex
and not considered in this document.
o Support of Aggregate RSVP sessions is OPTIONAL. When supported:
* Aggregate RSVP sessions MUST be treated in the same way as
regular IPv4 RSVP sessions. To this end, all the procedures
described in Sections 3 and 4 MUST be followed for aggregate
RSVP sessions. The corresponding new SESSION, SENDER_TEMPLATE,
and FILTERSPEC objects are defined in Section 8.
* End-To-End (E2E) RSVP sessions are passed unmodified through
the MPLS VPN. These RSVP messages SHOULD be identified by
their IP protocol (RSVP-E2E-IGNORE, 134). When the ingress PE
receives any RSVP message with this IP protocol, it MUST
process this frame as if it is regular customer traffic and
ignore any Router Alert Option. The appropriate VPN and
transport labels are applied to the frame and it is forwarded
towards the remote CE. Note that this message will not be
received or processed by any other P or PE node.
* Any SESSION-OF-INTEREST object (defined in [RFC4860]) MUST be
conveyed unmodified across the MPLS VPN.
7.4. Support for CE-CE RSVP-TE
[RFC5824] describes a set of requirements for the establishment for
CE-CE MPLS LSPs across networks offering an L3VPN service. The
requirements specified in that document are similar to those
addressed by this document, in that both address the issue of
handling RSVP requests from customers in a VPN context. It is
possible that the solution described here could be adapted to meet
the requirements of [RFC5824]. To the extent that this document uses
signaling extensions described in [RFC3473] that have already been
used for GMPLS/TE, we expect that CE-CE RSVP/TE will be incremental
work built on these extensions. These extensions will be considered
in a separate document.
Davie, et al. Standards Track [Page 19]
^L
RFC 6016 RSVP for L3VPNs October 2010
8. Object Definitions
8.1. VPN-IPv4 and VPN-IPv6 SESSION Objects
The usage of the VPN-IPv4 (or VPN-IPv6) SESSION object is described
in Sections 3.2 to 3.6. The VPN-IPv4 (or VPN-IPv6) SESSION object
appears in RSVP messages that ordinarily contain a SESSION object and
are sent between ingress PE and egress PE in either direction. The
object MUST NOT be included in any RSVP messages that are sent
outside of the provider's backbone (except in the inter-AS Option-B
and Option-C cases, as described above, when it may appear on
inter-AS links).
The VPN-IPv6 SESSION object is analogous to the VPN-IPv4 SESSION
object, using an VPN-IPv6 address ([RFC4659]) instead of an VPN-IPv4
address ([RFC4364]).
The formats of the objects are as follows:
o VPN-IPv4 SESSION object: Class = 1, C-Type = 19
+-------------+-------------+-------------+-------------+
| |
+ +
| VPN-IPv4 DestAddress (12 bytes) |
+ +
| |
+-------------+-------------+-------------+-------------+
| Protocol Id | Flags | DstPort |
+-------------+-------------+-------------+-------------+
o VPN-IPv6 SESSION object: Class = 1, C-Type = 20
+-------------+-------------+-------------+-------------+
| |
+ +
| |
+ VPN-IPv6 DestAddress (24 bytes) +
/ /
. .
/ /
| |
+-------------+-------------+-------------+-------------+
| Protocol Id | Flags | DstPort |
+-------------+-------------+-------------+-------------+
Davie, et al. Standards Track [Page 20]
^L
RFC 6016 RSVP for L3VPNs October 2010
The VPN-IPv4 DestAddress (respectively, VPN-IPv6 DestAddress) field
contains an address of the VPN-IPv4 (respectively, VPN-IPv6) address
family encoded as specified in [RFC4364] (respectively, [RFC4659]).
The content of this field is discussed in Sections 3.2 and 3.3.
The protocol ID, flags, and DstPort are identical to the same fields
in the IPv4 and IPv6 SESSION objects ([RFC2205]).
8.2. VPN-IPv4 and VPN-IPv6 SENDER_TEMPLATE Objects
The usage of the VPN-IPv4 (or VPN-IPv6) SENDER_TEMPLATE object is
described in Sections 3.2 and 3.3. The VPN-IPv4 (or VPN-IPv6)
SENDER_TEMPLATE object appears in RSVP messages that ordinarily
contain a SENDER_TEMPLATE object and are sent between ingress PE and
egress PE in either direction (such as Path, PathError, and
PathTear). The object MUST NOT be included in any RSVP messages that
are sent outside of the provider's backbone (except in the inter-AS
Option-B and Option-C cases, as described above, when it may appear
on inter-AS links). The format of the object is as follows:
o VPN-IPv4 SENDER_TEMPLATE object: Class = 11, C-Type = 14
+-------------+-------------+-------------+-------------+
| |
+ +
| VPN-IPv4 SrcAddress (12 bytes) |
+ +
| |
+-------------+-------------+-------------+-------------+
| Reserved | SrcPort |
+-------------+-------------+-------------+-------------+
o VPN-IPv6 SENDER_TEMPLATE object: Class = 11, C-Type = 15
+-------------+-------------+-------------+-------------+
| |
+ +
| |
+ VPN-IPv6 SrcAddress (24 bytes) +
/ /
. .
/ /
| |
+-------------+-------------+-------------+-------------+
| Reserved | SrcPort |
+-------------+-------------+-------------+-------------+
Davie, et al. Standards Track [Page 21]
^L
RFC 6016 RSVP for L3VPNs October 2010
The VPN-IPv4 SrcAddress (respectively, VPN-IPv6 SrcAddress) field
contains an address of the VPN-IPv4 (respectively, VPN-IPv6) address
family encoded as specified in [RFC4364] (respectively, [RFC4659]).
The content of this field is discussed in Sections 3.2 and 3.3.
The SrcPort is identical to the SrcPort field in the IPv4 and IPv6
SENDER_TEMPLATE objects ([RFC2205]).
The Reserved field MUST be set to zero on transmit and ignored on
receipt.
8.3. VPN-IPv4 and VPN-IPv6 FILTER_SPEC Objects
The usage of the VPN-IPv4 (or VPN-IPv6) FILTER_SPEC object is
described in Sections 3.4 and 3.5. The VPN-IPv4 (or VPN-IPv6)
FILTER_SPEC object appears in RSVP messages that ordinarily contain a
FILTER_SPEC object and are sent between ingress PE and egress PE in
either direction (such as Resv, ResvError, and ResvTear). The object
MUST NOT be included in any RSVP messages that are sent outside of
the provider's backbone (except in the inter-AS Option-B and Option-C
cases, as described above, when it may appear on inter-AS links).
o VPN-IPv4 FILTER_SPEC object: Class = 10, C-Type = 14
Definition same as VPN-IPv4 SENDER_TEMPLATE object.
o VPN-IPv6 FILTER_SPEC object: Class = 10, C-Type = 15
Definition same as VPN-IPv6 SENDER_TEMPLATE object.
The content of the VPN-IPv4 SrcAddress (or VPN-IPv6 SrcAddress) field
is discussed in Sections 3.4 and 3.5.
The SrcPort is identical to the SrcPort field in the IPv4 and IPv6
SENDER_TEMPLATE objects ([RFC2205]).
The Reserved field MUST be set to zero on transmit and ignored on
receipt.
8.4. VPN-IPv4 and VPN-IPv6 RSVP_HOP Objects
Usage of the VPN-IPv4 (or VPN-IPv6) RSVP_HOP object is described in
Sections 3.1 and 5.2.2. The VPN-IPv4 (VPN-IPv6) RSVP_HOP object is
used to establish signaling reachability between RSVP neighbors
separated by one or more Option-B ASBRs. This object may appear in
RSVP messages that carry an RSVP_HOP object, and that travel between
the ingress and egress PEs. It MUST NOT be included in any RSVP
Davie, et al. Standards Track [Page 22]
^L
RFC 6016 RSVP for L3VPNs October 2010
messages that are sent outside of the provider's backbone (except in
the inter-AS Option-B and Option-C cases, as described above, when it
may appear on inter-AS links). The format of the object is as
follows:
o VPN-IPv4 RSVP_HOP object: Class = 3, C-Type = 5
+-------------+-------------+-------------+-------------+
| IPv4 Next/Previous Hop Address (4 bytes) |
+-------------+-------------+-------------+-------------+
| |
+ +
| VPN-IPv4 Next/Previous Hop Address (12 bytes) |
+ +
| |
+-------------+-------------+-------------+-------------+
| Logical Interface Handle |
+-------------+-------------+-------------+-------------+
o VPN-IPv6 RSVP_HOP object: Class = 3, C-Type = 6
+-------------+-------------+-------------+-------------+
| |
+ +
| |
+ IPv6 Next/Previous Hop Address (16 bytes) +
| |
+ +
| |
+-------------+-------------+-------------+-------------+
| |
+ +
| |
+ VPN-IPv6 Next/Previous Hop Address (24 bytes) +
/ /
. .
/ /
| |
+-------------+-------------+-------------+-------------+
| Logical Interface Handle |
+-------------+-------------+-------------+-------------+
The IPv4 Next/Previous Hop Address, IPv6 Next/Previous Hop Address,
and the Logical Interface Handle fields are identical to those of the
RSVP_HOP object ([RFC2205]).
Davie, et al. Standards Track [Page 23]
^L
RFC 6016 RSVP for L3VPNs October 2010
The VPN-IPv4 Next/Previous Hop Address (respectively, VPN-IPv6 Next/
Previous Hop Address) field contains an address of the VPN-IPv4
(respectively, VPN-IPv6) address family encoded as specified in
[RFC4364] (respectively, [RFC4659]). The content of this field is
discussed in Section 3.1.
8.5. Aggregated VPN-IPv4 and VPN-IPv6 SESSION Objects
The usage of Aggregated VPN-IPv4 (or VPN-IPv6) SESSION object is
described in Section 7.3. The AGGREGATE-VPN-IPv4 (respectively,
AGGREGATE-IPv6-VPN) SESSION object appears in RSVP messages that
ordinarily contain a AGGREGATE-IPv4 (respectively, AGGREGATE-IPv6)
SESSION object as defined in [RFC3175] and are sent between ingress
PE and egress PE in either direction. The GENERIC-AGGREGATE-VPN-IPv4
(respectively, AGGREGATE-VPN-IPv6) SESSION object should appear in
all RSVP messages that ordinarily contain a GENERIC-AGGREGATE-IPv4
(respectively, GENERIC-AGGREGATE-IPv6) SESSION object as defined in
[RFC4860] and are sent between ingress PE and egress PE in either
direction. These objects MUST NOT be included in any RSVP messages
that are sent outside of the provider's backbone (except in the
inter-AS Option-B and Option-C cases, as described above, when it may
appear on inter-AS links). The processing rules for these objects
are otherwise identical to those of the VPN-IPv4 (respectively, VPN-
IPv6) SESSION object defined in Section 8.1. The format of the
object is as follows:
o AGGREGATE-VPN-IPv4 SESSION object: Class = 1, C-Type = 21
+-------------+-------------+-------------+-------------+
| |
+ +
| VPN-IPv4 DestAddress (12 bytes) |
+ +
| |
+-------------+-------------+-------------+-------------+
| Reserved | Flags | Reserved | DSCP |
+-------------+-------------+-------------+-------------+
Davie, et al. Standards Track [Page 24]
^L
RFC 6016 RSVP for L3VPNs October 2010
o AGGREGATE-VPN-IPv6 SESSION object: Class = 1, C-Type = 22
+-------------+-------------+-------------+-------------+
| |
+ +
| |
+ VPN-IPv6 DestAddress (24 bytes) +
/ /
. .
/ /
| |
+-------------+-------------+-------------+-------------+
| Reserved | Flags | Reserved | DSCP |
+-------------+-------------+-------------+-------------+
The VPN-IPv4 DestAddress (respectively, VPN-IPv6 DestAddress) field
contains an address of the VPN-IPv4 (respectively, VPN-IPv6) address
family encoded as specified in [RFC4364] (respectively, [RFC4659]).
The content of this field is discussed in Sections 3.2 and 3.3.
The flags and DSCP are identical to the same fields of the AGGREGATE-
IPv4 and AGGREGATE-IPv6 SESSION objects ([RFC3175]).
The Reserved field MUST be set to zero on transmit and ignored on
receipt.
o GENERIC-AGGREGATE-VPN-IPv4 SESSION object:
Class = 1, C-Type = 23
+-------------+-------------+-------------+-------------+
| |
+ +
| VPN-IPv4 DestAddress (12 bytes) |
+ +
| |
+-------------+-------------+-------------+-------------+
| Reserved | Flags | PHB-ID |
+-------------+-------------+-------------+-------------+
| Reserved | vDstPort |
+-------------+-------------+-------------+-------------+
| Extended vDstPort |
+-------------+-------------+-------------+-------------+
Davie, et al. Standards Track [Page 25]
^L
RFC 6016 RSVP for L3VPNs October 2010
o GENERIC-AGGREGATE-VPN-IPv6 SESSION object:
Class = 1, C-Type = 24
+-------------+-------------+-------------+-------------+
| |
+ +
| |
+ VPN-IPv6 DestAddress (24 bytes) +
/ /
. .
/ /
| |
+-------------+-------------+-------------+-------------+
| Reserved | Flags | PHB-ID |
+-------------+-------------+-------------+-------------+
| Reserved | vDstPort |
+-------------+-------------+-------------+-------------+
| Extended vDstPort |
+-------------+-------------+-------------+-------------+
The VPN-IPv4 DestAddress (respectively, VPN-IPv6 DestAddress) field
contains an address of the VPN-IPv4 (respectively, VPN-IPv6) address
family encoded as specified in [RFC4364] (respectively, [RFC4659]).
The content of this field is discussed in Sections 3.2 and 3.3.
The flags, PHB-ID, vDstPort, and Extended vDstPort are identical to
the same fields of the GENERIC-AGGREGATE-IPv4 and GENERIC-AGGREGATE-
IPv6 SESSION objects ([RFC4860]).
The Reserved field MUST be set to zero on transmit and ignored on
receipt.
8.6. AGGREGATE-VPN-IPv4 and AGGREGATE-VPN-IPv6 SENDER_TEMPLATE Objects
The usage of Aggregated VPN-IPv4 (or VPN-IPv6) SENDER_TEMPLATE object
is described in Section 7.3. The AGGREGATE-VPN-IPv4 (respectively,
AGGREGATE-VPN-IPv6) SENDER_TEMPLATE object appears in RSVP messages
that ordinarily contain a AGGREGATE-IPv4 (respectively, AGGREGATE-
IPv6) SENDER_TEMPLATE object as defined in [RFC3175] and [RFC4860],
and are sent between ingress PE and egress PE in either direction.
These objects MUST NOT be included in any RSVP messages that are sent
outside of the provider's backbone (except in the inter-AS Option-B
and Option-C cases, as described above, when it may appear on
inter-AS links). The processing rules for these objects are
otherwise identical to those of the VPN-IPv4 (respectively, VPN-IPv6)
SENDER_TEMPLATE object defined in Section 8.2. The format of the
object is as follows:
Davie, et al. Standards Track [Page 26]
^L
RFC 6016 RSVP for L3VPNs October 2010
o AGGREGATE-VPN-IPv4 SENDER_TEMPLATE object:
Class = 11, C-Type = 16
+-------------+-------------+-------------+-------------+
| |
+ +
| VPN-IPv4 AggregatorAddress (12 bytes) |
+ +
| |
+-------------+-------------+-------------+-------------+
o AGGREGATE-VPN-IPv6 SENDER_TEMPLATE object:
Class = 11, C-Type = 17
+-------------+-------------+-------------+-------------+
| |
+ +
| |
+ VPN-IPv6 AggregatorAddress (24 bytes) +
/ /
. .
/ /
| |
+-------------+-------------+-------------+-------------+
The VPN-IPv4 AggregatorAddress (respectively, VPN-IPv6
AggregatorAddress) field contains an address of the VPN-IPv4
(respectively, VPN-IPv6) address family encoded as specified in
[RFC4364] (respectively, [RFC4659]). The content and processing
rules for these objects are similar to those of the VPN-IPv4
SENDER_TEMPLATE object defined in Section 8.2.
The flags and DSCP are identical to the same fields of the AGGREGATE-
IPv4 and AGGREGATE-IPv6 SESSION objects.
8.7. AGGREGATE-VPN-IPv4 and AGGREGATE-VPN-IPv6 FILTER_SPEC Objects
The usage of Aggregated VPN-IPv4 FILTER_SPEC object is described in
Section 7.3. The AGGREGATE-VPN-IPv4 FILTER_SPEC object appears in
RSVP messages that ordinarily contain a AGGREGATE-IPv4 FILTER_SPEC
object as defined in [RFC3175] and [RFC4860], and are sent between
ingress PE and egress PE in either direction. These objects MUST NOT
be included in any RSVP messages that are sent outside of the
provider's backbone (except in the inter-AS Option-B and Option-C
cases, as described above, when it may appear on inter-AS links).
Davie, et al. Standards Track [Page 27]
^L
RFC 6016 RSVP for L3VPNs October 2010
The processing rules for these objects are otherwise identical to
those of the VPN-IPv4 FILTER_SPEC object defined in Section 8.3. The
format of the object is as follows:
o AGGREGATE-VPN-IPv4 FILTER_SPEC object:
Class = 10, C-Type = 16
Definition same as AGGREGATE-VPN-IPv4 SENDER_TEMPLATE object.
o AGGREGATE-VPN-IPv6 FILTER_SPEC object:
Class = 10, C-Type = 17
Definition same as AGGREGATE-VPN-IPv6 SENDER_TEMPLATE object.
9. IANA Considerations
Section 8 defines new objects. Therefore, IANA has modified the RSVP
parameters registry, 'Class Names, Class Numbers, and Class Types'
subregistry, and:
o assigned six new C-Types under the existing SESSION Class (Class
number 1), as follows:
Class
Number Class Name Reference
------ ----------------------- ---------
1 SESSION [RFC2205]
Class Types or C-Types:
.. ... ...
19 VPN-IPv4 [RFC6016]
20 VPN-IPv6 [RFC6016]
21 AGGREGATE-VPN-IPv4 [RFC6016]
22 AGGREGATE-VPN-IPv6 [RFC6016]
23 GENERIC-AGGREGATE-VPN-IPv4 [RFC6016]
24 GENERIC-AGGREGATE-VPN-IPv6 [RFC6016]
o assigned four new C-Types under the existing SENDER_TEMPLATE Class
(Class number 11), as follows:
Davie, et al. Standards Track [Page 28]
^L
RFC 6016 RSVP for L3VPNs October 2010
Class
Number Class Name Reference
------ ----------------------- ---------
11 SENDER_TEMPLATE [RFC2205]
Class Types or C-Types:
.. ... ...
14 VPN-IPv4 [RFC6016]
15 VPN-IPv6 [RFC6016]
16 AGGREGATE-VPN-IPv4 [RFC6016]
17 AGGREGATE-VPN-IPv6 [RFC6016]
o assigned four new C-Types under the existing FILTER_SPEC Class
(Class number 10), as follows:
Class
Number Class Name Reference
------ ----------------------- ---------
10 FILTER_SPEC [RFC2205]
Class Types or C-Types:
.. ... ...
14 VPN-IPv4 [RFC6016]
15 VPN-IPv6 [RFC6016]
16 AGGREGATE-VPN-IPv4 [RFC6016]
17 AGGREGATE-VPN-IPv6 [RFC6016]
o assigned two new C-Types under the existing RSVP_HOP Class (Class
number 3), as follows:
Class
Number Class Name Reference
------ ----------------------- ---------
3 RSVP_HOP [RFC2205]
Class Types or C-Types:
.. ... ...
5 VPN-IPv4 [RFC6016]
6 VPN-IPv6 [RFC6016]
Davie, et al. Standards Track [Page 29]
^L
RFC 6016 RSVP for L3VPNs October 2010
In addition, a new PathError code/value is required to identify a
signaling reachability failure and the need for a VPN-IPv4 or VPN-
IPv6 RSVP_HOP object as described in Section 5.2.2. Therefore, IANA
has modified the RSVP parameters registry, 'Error Codes and Globally-
Defined Error Value Sub-Codes' subregistry, and:
o assigned a new Error Code and sub-code, as follows:
37 RSVP over MPLS Problem [RFC6016]
This Error Code has the following globally-defined Error
Value sub-codes:
1 = RSVP_HOP not reachable across VPN [RFC6016]
10. Security Considerations
[RFC4364] addresses the security considerations of BGP/MPLS VPNs in
general. General RSVP security considerations are discussed in
[RFC2205]. To ensure the integrity of RSVP, the RSVP Authentication
mechanisms defined in [RFC2747] and [RFC3097] SHOULD be supported.
Those protect RSVP message integrity hop-by-hop and provide node
authentication as well as replay protection, thereby protecting
against corruption and spoofing of RSVP messages. [RSVP-KEYING]
discusses applicability of various keying approaches for RSVP
Authentication. First, we note that the discussion about
applicability of group keying to an intra-provider environment where
RSVP hops are not IP hops is relevant to securing of RSVP among PEs
of a given Service Provider deploying the solution specified in the
present document. We note that the RSVP signaling in MPLS VPN is
likely to spread over multiple administrative domains (e.g., the
service provider operating the VPN service, and the customers of the
service). Therefore the considerations in [RSVP-KEYING] about inter-
domain issues are likely to apply.
Since RSVP messages travel through the L3VPN cloud directly addressed
to PE or ASBR routers (without IP Router Alert Option), P routers
remain isolated from RSVP messages signaling customer reservations.
Providers MAY choose to block PEs from sending datagrams with the
Router Alert Option to P routers as a security practice, without
impacting the functionality described herein.
Beyond those general issues, four specific issues are introduced by
this document: resource usage on PEs, resource usage in the provider
backbone, PE route advertisement outside the AS, and signaling
exposure to ASBRs and PEs. We discuss these in turn.
Davie, et al. Standards Track [Page 30]
^L
RFC 6016 RSVP for L3VPNs October 2010
A customer who makes resource reservations on the CE-PE links for his
sites is only competing for link resources with himself, as in
standard RSVP, at least in the common case where each CE-PE link is
dedicated to a single customer. Thus, from the perspective of the
CE-PE links, the present document does not introduce any new security
issues. However, because a PE typically serves multiple customers,
there is also the possibility that a customer might attempt to use
excessive computational resources on a PE (CPU cycles, memory, etc.)
by sending large numbers of RSVP messages to a PE. In the extreme,
this could represent a form of denial-of-service attack. In order to
prevent such an attack, a PE SHOULD support mechanisms to limit the
fraction of its processing resources that can be consumed by any one
CE or by the set of CEs of a given customer. For example, a PE might
implement a form of rate limiting on RSVP messages that it receives
from each CE. We observe that these security risks and measures
related to PE resource usage are very similar for any control-plane
protocol operating between CE and PE (e.g., RSVP, routing,
multicast).
The second concern arises only when the service provider chooses to
offer resource reservation across the backbone, as described in
Section 4. In this case, the concern may be that a single customer
might attempt to reserve a large fraction of backbone capacity,
perhaps with a coordinated effort from several different CEs, thus
denying service to other customers using the same backbone.
[RFC4804] provides some guidance on the security issues when RSVP
reservations are aggregated onto MPLS tunnels, which are applicable
to the situation described here. We note that a provider MAY use
local policy to limit the amount of resources that can be reserved by
a given customer from a particular PE, and that a policy server could
be used to control the resource usage of a given customer across
multiple PEs if desired. It is RECOMMENDED that an implementation of
this specification support local policy on the PE to control the
amount of resources that can be reserved by a given customer/CE.
Use of the VPN-IPv4 RSVP_HOP object requires exporting a PE VPN-IPv4
route to another AS, and potentially could allow unchecked access to
remote PEs if those routes were indiscriminately redistributed.
However, as described in Section 3.1, no route that is not within a
customer's VPN should ever be advertised to (or be reachable from)
that customer. If a PE uses a local address already within a
customer VRF (like PE-CE link address), it MUST NOT send this address
in any RSVP messages in a different customer VRF. A "control-plane"
VPN MAY be created across PEs and ASBRs and addresses in this VPN can
be used to signal RSVP sessions for any customers, but these routes
MUST NOT be advertised to, or made reachable from, any customer. An
implementation of the present document MAY support such operation
using a "control-plane" VPN. Alternatively, ASBRs MAY implement the
Davie, et al. Standards Track [Page 31]
^L
RFC 6016 RSVP for L3VPNs October 2010
signaling procedures described in Section 5.2.1, even if admission
control is not required on the inter-AS link, as these procedures do
not require any direct P/PE route advertisement out of the AS.
Finally, certain operations described herein (Section 3) require an
ASBR or PE to receive and locally process a signaling packet
addressed to the BGP next hop address advertised by that router.
This requirement does not strictly apply to MPLS/BGP VPNs [RFC4364].
This could be viewed as opening ASBRs and PEs to being directly
addressable by customer devices where they were not open before, and
could be considered a security issue. If a provider wishes to
mitigate this situation, the implementation MAY support the "control
protocol VPN" approach described above. That is, whenever a
signaling message is to be sent to a PE or ASBR, the address of the
router in question would be looked up in the "control protocol VPN",
and the message would then be sent on the LSP that is found as a
result of that lookup. This would ensure that the router address is
not reachable by customer devices.
[RFC4364] mentions use of IPsec both on a CE-CE basis and PE-PE
basis:
Cryptographic privacy is not provided by this architecture, nor by
Frame Relay or ATM VPNs. These architectures are all compatible
with the use of cryptography on a CE-CE basis, if that is desired.
The use of cryptography on a PE-PE basis is for further study.
The procedures specified in the present document for admission
control on the PE-CE links (Section 3) are compatible with the use of
IPsec on a PE-PE basis. The optional procedures specified in the
present document for admission control in the Service Provider's
backbone (Section 4) are not compatible with the use of IPsec on a
PE-PE basis, since those procedures depend on the use of PE-PE MPLS
TE Tunnels to perform aggregate reservations through the Service
Provider's backbone.
[RFC4923] describes a model for RSVP operation through IPsec
Gateways. In a nutshell, a form of hierarchical RSVP reservation is
used where an RSVP reservation is made for the IPsec tunnel and then
individual RSVP reservations are admitted/aggregated over the tunnel
reservation. This model applies to the case where IPsec is used on a
CE-CE basis. In that situation, the procedures defined in the
present document would simply apply "as is" to the reservation
established for the IPsec tunnel(s).
Davie, et al. Standards Track [Page 32]
^L
RFC 6016 RSVP for L3VPNs October 2010
11. Acknowledgments
Thanks to Ashwini Dahiya, Prashant Srinivas, Yakov Rekhter, Eric
Rosen, Dan Tappan, and Lou Berger for their many contributions to
solving the problems described in this document. Thanks to Ferit
Yegenoglu for his useful comments. We also thank Stefan Santesson,
Vijay Gurbani, and Alexey Melnikov for their review comments. We
thank Richard Woundy for his very thorough review and comments
including those that resulted in additional text discussing scenarios
of admission control reject in the MPLS VPN cloud. Also, we thank
Adrian Farrel for his detailed review and contributions.
Davie, et al. Standards Track [Page 33]
^L
RFC 6016 RSVP for L3VPNs October 2010
Appendix A. Alternatives Considered
At this stage, a number of alternatives to the approach described
above have been considered. We document some of the approaches
considered here to assist future discussion. None of these have been
shown to improve upon the approach described above, and the first two
seem to have significant drawbacks relative to the approach described
above.
Appendix A.1. GMPLS UNI Approach
[RFC4208] defines the GMPLS UNI. In Section 7, the operation of the
GMPLS UNI in a VPN context is briefly described. This is somewhat
similar to the problem tackled in the current document. The main
difference is that the GMPLS UNI is primarily aimed at the problem of
allowing a CE device to request the establishment of a Label Switched
Path (LSP) across the network on the other side of the UNI. Hence,
the procedures in [RFC4208] would lead to the establishment of an LSP
across the VPN provider's network for every RSVP request received,
which is not desired in this case.
To the extent possible, the approach described in this document is
consistent with [RFC4208], while filling in more of the details and
avoiding the problem noted above.
Appendix A.2. Label Switching Approach
Implementations that always look at IP headers inside the MPLS label
on the egress PE can intercept Path messages and determine the
correct VRF and RSVP state by using a combination of the
encapsulating VPN label and the IP header. In our view, this is an
undesirable approach for two reasons. Firstly, it imposes a new MPLS
forwarding requirement for all data packets on the egress PE.
Secondly, it requires using the encapsulating MPLS label to identify
RSVP state, which runs counter to existing RSVP principle and
practice where all information used to identify RSVP state is
included within RSVP objects. RSVP extensions such as COPS/RSVP
[RFC2749] which re-encapsulate RSVP messages are incompatible with
this change.
Appendix A.3. VRF Label Approach
Another approach to solving the problems described here involves the
use of label switching to ensure that Path, Resv, and other RSVP
messages are directed to the appropriate VRF on the next RSVP hop
(e.g., egress PE). One challenge with such an approach is that
[RFC4364] does not require labels to be allocated for VRFs, only for
customer prefixes, and that there is no simple, existing method for
Davie, et al. Standards Track [Page 34]
^L
RFC 6016 RSVP for L3VPNs October 2010
advertising the fact that a label is bound to a VRF. If, for
example, an ingress PE sent a Path message labelled with a VPN label
that was advertised by the egress PE for the prefix that matches the
destination address in the Path, there is a risk that the egress PE
would simply label-switch the Path directly on to the CE without
performing RSVP processing.
A second challenge with this approach is that an IP address needs to
be associated with a VRF and used as the PHOP address for the Path
message sent from ingress PE to egress PE. That address needs to be
reachable from the egress PE, and to exist in the VRF at the ingress
PE. Such an address is not always available in today's deployments,
so this represents at least a change to existing deployment
practices.
Appendix A.4. VRF Label Plus VRF Address Approach
It is possible to create an approach based on that described in the
previous section that addresses the main challenges of that approach.
The basic approach has two parts: (a) define a new BGP Extended
Community to tag a route (and its associated MPLS label) as pointing
to a VRF; (b) allocate a "dummy" address to each VRF, specifically to
be used for routing RSVP messages. The dummy address (which could be
anything, e.g., a loopback of the associated PE) would be used as a
PHOP for Path messages and would serve as the destination for Resv
messages but would not be imported into VRFs of any other PE.
References
Normative References
[RFC2113] Katz, D., "IP Router Alert Option", RFC 2113,
February 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S.
Jamin, "Resource ReSerVation Protocol (RSVP) --
Version 1 Functional Specification", RFC 2205,
September 1997.
[RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert
Option", RFC 2711, October 1999.
[RFC3175] Baker, F., Iturralde, C., Le Faucheur, F., and B.
Davie, "Aggregation of RSVP for IPv4 and IPv6
Reservations", RFC 3175, September 2001.
Davie, et al. Standards Track [Page 35]
^L
RFC 6016 RSVP for L3VPNs October 2010
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
Networks (VPNs)", RFC 4364, February 2006.
[RFC4659] De Clercq, J., Ooms, D., Carugi, M., and F. Le
Faucheur, "BGP-MPLS IP Virtual Private Network (VPN)
Extension for IPv6 VPN", RFC 4659, September 2006.
[RFC4804] Le Faucheur, F., "Aggregation of Resource ReSerVation
Protocol (RSVP) Reservations over MPLS TE/DS-TE
Tunnels", RFC 4804, February 2007.
Informative References
[ALERT-USAGE] Le Faucheur, F., Ed., "IP Router Alert Considerations
and Usage", Work in Progress, July 2010.
[LER-OPTIONS] Smith, D., Mullooly, J., Jaeger, W., and T. Scholl,
"Requirements for Label Edge Router Forwarding of IPv4
Option Packets", Work in Progress, May 2010.
[RFC1633] Braden, B., Clark, D., and S. Shenker, "Integrated
Services in the Internet Architecture: an Overview",
RFC 1633, June 1994.
[RFC2209] Braden, B. and L. Zhang, "Resource ReSerVation
Protocol (RSVP) -- Version 1 Message Processing
Rules", RFC 2209, September 1997.
[RFC2210] Wroclawski, J., "The Use of RSVP with IETF Integrated
Services", RFC 2210, September 1997.
[RFC2747] Baker, F., Lindell, B., and M. Talwar, "RSVP
Cryptographic Authentication", RFC 2747, January 2000.
[RFC2748] Durham, D., Boyle, J., Cohen, R., Herzog, S., Rajan,
R., and A. Sastry, "The COPS (Common Open Policy
Service) Protocol", RFC 2748, January 2000.
[RFC2749] Herzog, S., Boyle, J., Cohen, R., Durham, D., Rajan,
R., and A. Sastry, "COPS usage for RSVP", RFC 2749,
January 2000.
[RFC2961] Berger, L., Gan, D., Swallow, G., Pan, P., Tommasi,
F., and S. Molendini, "RSVP Refresh Overhead Reduction
Extensions", RFC 2961, April 2001.
Davie, et al. Standards Track [Page 36]
^L
RFC 6016 RSVP for L3VPNs October 2010
[RFC3097] Braden, R. and L. Zhang, "RSVP Cryptographic
Authentication -- Updated Message Type Value",
RFC 3097, April 2001.
[RFC3473] Berger, L., "Generalized Multi-Protocol Label
Switching (GMPLS) Signaling Resource ReserVation
Protocol-Traffic Engineering (RSVP-TE) Extensions",
RFC 3473, January 2003.
[RFC4206] Kompella, K. and Y. Rekhter, "Label Switched Paths
(LSP) Hierarchy with Generalized Multi-Protocol Label
Switching (GMPLS) Traffic Engineering (TE)", RFC 4206,
October 2005.
[RFC4208] Swallow, G., Drake, J., Ishimatsu, H., and Y. Rekhter,
"Generalized Multiprotocol Label Switching (GMPLS)
User-Network Interface (UNI): Resource ReserVation
Protocol-Traffic Engineering (RSVP-TE) Support for the
Overlay Model", RFC 4208, October 2005.
[RFC4860] Le Faucheur, F., Davie, B., Bose, P., Christou, C.,
and M. Davenport, "Generic Aggregate Resource
ReSerVation Protocol (RSVP) Reservations", RFC 4860,
May 2007.
[RFC4923] Baker, F. and P. Bose, "Quality of Service (QoS)
Signaling in a Nested Virtual Private Network",
RFC 4923, August 2007.
[RFC5824] Kumaki, K., Zhang, R., and Y. Kamite, "Requirements
for Supporting Customer Resource ReSerVation Protocol
(RSVP) and RSVP Traffic Engineering (RSVP-TE) over a
BGP/MPLS IP-VPN", RFC 5824, April 2010.
[RFC5971] Schulzrinne, H. and R. Hancock, "GIST: General
Internet Signalling Transport", RFC 5971,
October 2010.
[RFC5974] Manner, J., Karagiannis, G., and A. McDonald, "NSIS
Signaling Layer Protocol (NSLP) for Quality-of-Service
Signaling", RFC 5974, October 2010.
[RSVP-KEYING] Behringer, M., Faucheur, F., and B. Weis,
"Applicability of Keying Methods for RSVP Security",
Work in Progress, September 2010.
Davie, et al. Standards Track [Page 37]
^L
RFC 6016 RSVP for L3VPNs October 2010
Authors' Addresses
Bruce Davie
Cisco Systems, Inc.
1414 Mass. Ave.
Boxborough, MA 01719
USA
EMail: bsd@cisco.com
Francois Le Faucheur
Cisco Systems, Inc.
Village d'Entreprise Green Side - Batiment T3
400, Avenue de Roumanille
Biot Sophia-Antipolis 06410
France
EMail: flefauch@cisco.com
Ashok Narayanan
Cisco Systems, Inc.
1414 Mass. Ave.
Boxborough, MA 01719
USA
EMail: ashokn@cisco.com
Davie, et al. Standards Track [Page 38]
^L
|
