Internet Draft


Network Working Group                                 Hamid Ould-Brahim
Internet Draft                                           Gregory Wright
draft-ouldbrahim-bgp-vpn-00.txt                           Bryan Gleeson
Expiration Date: January 2001                           Nortel Networks
                                                              July 2000









                                BGP/VPN:
                      VPN Information Discovery for
                           Network-based VPNs



Status of this Memo

   This document is an Internet-Draft and is in full conformance with
      all provisions of Section 10 of RFC2026 [RFC-2026].

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet- Drafts as
   reference material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt
   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.


Abstract

   VPN information can be piggybacked into BGP to allow a network-based
   VPN to auto-discover its membership and adequate information needed
   before any data exchange between private sites takes place across
   the backbone. Other drafts (e.g.[VPN-RFC2547]) also piggyback VPN
   information onto the backbone instance of BGP. However, [VPN-
   RFC2547] implicitly allows only for a single reachability mechanism
   (also BGP piggybacking) and a single tunneling mechanism (MPLS).
   This draft allows for the explicit indication of the reachability
   modes supported (e.g. piggybacking or virtual router) and the
   tunneling mechanisms supported, by a VPN device. The purpose of this

Ould-Brahim, et. al                                           [Page 1]
Internet-Draft    BGP/VPN: VPN Information Discovery      January 2001



   draft is to define a common VPN information protocol that can be
   used for both piggybacking and virtual router schemes. It allows for
   the auto-discovery of the nodes in a particular VPN, the selection
   of the reachability mechanism to use, and the selection of the
   tunneling protocol to use.


   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in
   this document are to be interpreted as described in RFC-2119.


1. Introduction

   VPN information can be piggybacked into BGP to allow a network-based
   VPN to auto-discover its membership and adequate information needed
   before any data exchange between private sites takes place across
   the backbone. Other drafts (e.g.[VPN-RFC2547]) also piggyback VPN
   information onto the backbone instance of BGP. However [VPN-RFC2547]
   draft implicitly allows only for a single reachability mechanism
   (also BGP piggybacking) and a single tunneling mechanism (MPLS).
   This draft allows for the explicit indication of the reachability
   mechanisms supported (e.g. piggybacking or virtual router) and the
   tunneling mechanisms supported, by a VPN device. The purpose of this
   draft is to define a common VPN information protocol that can be
   used for both piggybacking and virtual router schemes. It allows for
   the auto-discovery of the nodes in a particular VPN, the selection
   of the reachability mechanism to use, and the selection of the
   tunneling protocol to use.

   BGP is used to carry different type of VPN information (e.g., the
   list of VPN identifiers, the tunnel mechanisms, the VPN reachability
   information). The BGP UPDATE message carrying the VPN information
   will include, the set of VPN identifiers associated with each edge
   router, and adequate information to allow other edge routers to
   learn relevant VPN information. The edge routers would examine
   received VPN information and determine if any contained information
   was relevant to a supported (i.e., configured) VPN. The proposed VPN
   extensions allow different VPN topologies to be constructed (hub and
   spoke, a full mesh VPN, and arbitrary topologies).


2. Reachability Distribution Schemes

   There are two different schemes for distributing VPN reachability
   information, the virtual router and the piggybacking reachability
   schemes. In the VR model [VPN-VR], each VR in the VPN domain is
   running an instance of routing protocol responsible to disseminate
   VPN reachability information between VRs. Therefore, VPN
   reachability is carried out by a per-VPN instance of routing. In the
   reachability piggybacking model the VPN network layer is terminated
   at the edge of the backbone, and a backbone routing protocol (i.e.

Ould-Brahim, et al.           July 2000                       [Page 2]
Internet-Draft    BGP/VPN: VPN Information Discovery      January 2001



   BGP-4) is responsible for disseminating the VPN reachability
   information between provider edge routers (PE) for all the VPNs
   configured on the PE.


3. Network Based VPNs Reference Model

   The network based VPNs reference model addressed in this draft is
   illustrated in figure 1.


                     PE                         PE
               +--------------+            +--------------+
   +--------+  | +----------+ |            | +----------+ | +--------+
   |  VPN-A |  | |  VPN-A   | |            | |  VPN-A   | | |  VPN-A |
   |  Sites |--| |Database /| |  BGP peers | | Database/| |-|  sites |
   +--------+  | |Processing| |<---------->| |Processing| | +--------+
               | +----------+ |            | +----------+ |
               |              |            |              |
   +--------+  | +----------+ |            | +----------+ | +--------+
   | VPN-B  |  | |  VPN-B   | |  --------  | |   VPN-B  | | |  VPN-B |
   | Sites  |--| |Database /| |-(Backbone)-| | Database/| |-|  sites |
   +--------+  | |Processing| |  --------  | |Processing| | +--------+
               | +----------+ |            | +----------+ |
               |              |            |              |
   +--------+  | +----------+ |            | +----------+ | +--------+
   | VPN-C  |  | |  VPN-C   | |            | |   VPN-C  | | |  VPN-C |
   | Sites  |--| |Database /| |            | | Database/| |-|  sites |
   +--------+  | |Processing| |            | |Processing| | +--------+
               | +----------+ |            | +----------+ |
               +--------------+            +--------------+


                Figure 1: Network based VPN Reference Model


   It is assumed that BGP peers are configured over each backbone where
   the PE is attached. Each PE can store, and process information for
   multiple VPNs.



4. Carrying VPN information in BGP

   BGP-4 multiprotocol extension attributes can be used to carry
   various information about VPNs.  Other possible alternative is to
   use new BGP attributes specifically for carrying VPN information (as
   long as the VPN information entries are explicitly identified).

   SAFI value of 129 indicates that the information carried in the NLRI
   field is a VPN information.


Ould-Brahim, et al.           July 2000                       [Page 3]
Internet-Draft    BGP/VPN: VPN Information Discovery      January 2001



5. NLRI encoding

   To support VPN information in the NLRI, the Network Layer
   Reachability information in the MP_REACH_NLRI is encoded are
   described below:


   +---------------------------------------------------------+
   | Length of the NLRI (2 octets)                           |
   +---------------------------------------------------------+
   | Number of VPN-IDs (2 octets)                            |
   +---------------------------------------------------------+
   | First VPN-ID (7 octets)                                 |
   +---------------------------------------------------------+
   | Second VPN-ID (7 octets)                                |
   +---------------------------------------------------------+
   .....
   +---------------------------------------------------------+
   | N-th VPN-ID (7 octets)                                  |
   +---------------------------------------------------------+
   | VPN Topology Attribute (2 octets)                       |
   +---------------------------------------------------------+
   | VPN Reachability Mode  (1 octets)                       |
   +---------------------------------------------------------+
   | Length of VPN Reachability Entries (2 octets)           |
   +---------------------------------------------------------+
   | First VPN Reachability Entry (variable)                 |
   +---------------------------------------------------------+
   | Second VPN Reachability Entry (variable)                |
   +---------------------------------------------------------+
   .....
   +---------------------------------------------------------+
   | N-th VPN Reachability Entry (variable)                  |
   +---------------------------------------------------------+
   | Length of VPN Tunnel Entries (2 octets)                 |
   +---------------------------------------------------------+
   | First VPN Tunnel Entry (variable)                       |
   +---------------------------------------------------------+
   | Second VPN Tunnel Entry (variable)                      |
   +---------------------------------------------------------+
   .....
   +---------------------------------------------------------+
   | N-th VPN Tunnel Entry (variable)                        |
   +---------------------------------------------------------+
   | Other VPN information (variable)                        |
   +---------------------------------------------------------+

          Figure 2. VPN Information within the NLRI field


      The use and the meaning of these fields are as follows:


Ould-Brahim, et al.           July 2000                       [Page 4]
Internet-Draft    BGP/VPN: VPN Information Discovery      January 2001



         a) Length of the NLRI:

            The Length field indicates the length in bits of the NLRI
            tuple.

         b) Number of VPN-IDs (2 octets):

           The number of VPN-IDs carried in this NLRI.

         c) VPN-ID field:

           The VPN-ID format is defined in RFC2685:
           VPN OUI: Identifies VPN Authority (3 octets)
           VPN Index: Identifies a VPN within the Authority (4 octets)

         d) VPN Topology Attribute

            Two octets field used to indicate the nature of
            VPN topology.


         e) VPN Reachability Mode: A one octet number describing the
            reachability mode related to the VPN model used.

         f) Length of VPN Reachability Entries: The Length of VPN
            entries contains the length (in octets) of the VPN
            reachability entries.

         g) Length of VPN Tunnel Entries: contains the
            length (in octets) of the VPN  tunnel entries.

         h) Other VPN information: will be used for passing specific
            VPN information. This field is optional.


5.1 VPN Membership Discovery using VPN-ID

   The IETF [VPN-RFC2685] and the ATM Forum [VPN-ATM] have standardized
   on a single format for a globally unique identifier used to identify
   a VPN - a VPN-ID. Only the format of the VPN-ID has been defined,
   not its semantics or usage.  The aim is to allow its use for a wide
   variety of purposes, and to allow the same identifier to be used
   with different technologies and mechanisms.  For example a VPN-ID
   can be bound to a tunnel. All packets that traverse the tunnel are
   then implicitly associated with the identified VPN.

   The same identifier can be used to identify the VPN across different
   technologies.  Also if a VPN spans multiple administrative domains
   the same identifier can be used everywhere.




Ould-Brahim, et al.           July 2000                       [Page 5]
Internet-Draft    BGP/VPN: VPN Information Discovery      January 2001



5.2 VPN Reachability Discovery

   BGP can also be used to carry VPN reachability information. Indeed,
   once an edge router has determined/learnt the set of prefixes
   associated with each of attached VPNs, then this information is
   disseminated to each other edge router in the network.

   The VPN reachability entry is described as follows:


   +--------------------------------------------------------------+
   | VPN Reachability Type (2 octets)                             |
   +--------------------------------------------------------------+
   | Length (1 octets)                                            |
   +--------------------------------------------------------------+
   | VPN Reachability Value Field (variable)                      |
   +--------------------------------------------------------------+

                Figure 3. VPN Reachability Entry


   The use and the meaning of these fields are as follows:

        a) VPN Reachability type: is the type of the VPN reachability
           information.

        b) Length: The length field indicates the length in bits
                   of the VPN reachability value.

        c) VPN Reachability value field: contains the actual VPN route.


5.3  Tunnel Mechanisms Discovery

   Network-based VPNs must be implemented through some form of
   tunneling mechanism, where the packet formats and/or the addressing
   used within the VPN can be unrelated to that used to route the
   tunneled packets across the backbone [VPN-RFC2764]. There are
   numerous tunneling mechanisms that can be used by a network based
   VPN (e.g., IP/IP [RFC-2003], GRE tunnels [RFC-1701], IPSec [RFC-
   2401], and MPLS tunnels [MPLS-ARCH]). Each of these tunnels allows
   for opaque transport of frames as packet payload across the
   backbone, with forwarding disjoint from the address fields of the
   encapsulated packets [VPN-RFC2764].

   A tunnel connecting two endpoints is a basic building block
   from which a variety of different VPN services can be constructed.
   A tunnel operates as an overlay across the backbone, and the
   traffic sent through the tunnel is opaque to the underlying
   backbone. A provider edge router may terminate multiple type of
   tunnels and forward packets between these tunnels and other network
   interfaces in different ways.

Ould-Brahim, et al.           July 2000                       [Page 6]
Internet-Draft    BGP/VPN: VPN Information Discovery      January 2001




   BGP can be used to inform the other edge routers of the nature of
   the tunnel mechanism used (e.g., MPLS, IPSec, etc.) with adequate
   information about the actual tunnel endpoints.

   The tunnel entries are described as below:


   +--------------------------------------------------------------+
   | Tunnel Type Field (2 octets)                                 |
   +--------------------------------------------------------------+
   | Length (1 octets)                                            |
   +--------------------------------------------------------------+
   | Tunnel Value Field (variable)                                |
   +--------------------------------------------------------------+

                        Figure 4. VPN Tunnel Entry


   The use and the meaning of all the fields described above are:


        a) Tunnel Type field: Defines the type of tunneling
            mechanism (IPSec, IP in IP, MPLS, GRE, etc.).

        b) Length: length in bits of the Tunnel value.

        c) Tunnel Value Field: This field of variable size contains
           information about the tunnel endpoint values.


6. VPN Topology Information

   The proposed extensions allow different types of VPN topologies to
   be constructed. As an example, a hub and spoke VPN topology or an
   arbitrary topology can be constructed using different codes assigned
   to the topology attribute field.


7. Multiprotocol Unreachable NLRI for VPN:

   MP_UNREACH_NLRI can be used with a SAFI value of 129 for the
   purpose of withdrawing multiple unfeasible VPN NLRIs from service.


8. Use of BGP Capability Advertisement

   A BGP speaker that uses VPN information as described in this
   document with multiprotocol extensions should use the Capability
   Advertisement procedures to determine whether the speaker could use
   Multiprotocol Extensions with a particular peer.


Ould-Brahim, et al.           July 2000                       [Page 7]
Internet-Draft    BGP/VPN: VPN Information Discovery      January 2001



   The Capability Code field is set to 1 (which indicates Multiprotocol
   Extensions capabilities). The SAFI field is 129 for VPN information.


9. Security Considerations

   The VPN extensions described in this draft do not change the
   underlying security issues.


10. References


   [BGP-COMM] Ramachandra, Tappan, "BGP Extended Communities
      Attribute", February 2000, work in progress

   [BGP-MP] Bates, Chandra, Katz, and Rekhter, "Multiprotocol
      Extensions for BGP4", February 1998, RFC 2283

   [BGP-MPLS] Rekhter Y, Rosen E., "Carrying Label Information in
      BGP4", January 2000, work in progress

   [BGP-RR] Bates and Chandrasekaran, "BGP Route Reflection: An
      alternative to full mesh IBGP", RFC 2796, April 2000

   [MPLS-ARCH] Rosen, Viswanathan, and Callon, "Multiprotocol Label
      Switching Architecture", August 1999, work in progress

   [MPLS-ENCAPS] Rosen, Rekhter, Tappan, Farinacci, Fedorkow, Li, and
      Conta, "MPLS Label Stack Encoding", October 1999,work in progress

   [MPLS-LDP] Andersson, Doolan, Feldman, Fredette, Thomas, "LDP
      Specification", October 1999, work in progress

   [RFC-1701] Hanks, S., Li, T., Farinacci, D. and P. Traina, "Generic
      Routing Encapsulation (GRE)", RFC 1701, October 1994.

   [RFC-2003] Perkins, C., "IP Encapsulation within IP", RFC 2003,
      October 1996.

   [RFC-2026] Bradner, S., "The Internet Standards Process -- Revision
      3", RFC2026, October 1996.

   [RFC-2401] Kent S., Atkinson R., "Security Architecture for the
      Internet Protocol", RFC2401, November 1998.

   [RFC-2411] Thayer, R., et al, "IP Security Document Roadmap", RFC
      2411, November 1998.

   [RFC-2661] Townsley, W., et al, "Layer Two Tunneling Protocol L2TP",
      RFC2661, August 1999.


Ould-Brahim, et al.           July 2000                       [Page 8]
Internet-Draft    BGP/VPN: VPN Information Discovery      January 2001



   [RFC-2685] Bradner, S., "Key words for use in RFCs to Indicate
      Requirement Levels", RFC 2119, March 1997.

   [VPN-ATM] Petri, B. (editor) "MPOA v1.1 Addendum on VPN support",
      ATM Forum, af-mpoa-0129.000.

   [VPN-ITU] "Draft Recommendation Y.IPVPN", Study Group 13, Q20/13,
      May 2000.

   [VPN-RFC2547] Rosen E., et al, "BGP/MPLS VPNs", work in progress.

   [VPN-RFC2685] Fox B., et al, "Virtual Private Networks Identifier",
      RFC 2685, September 1999.

   [VPN-RFC2764] Gleeson, B., et al., "A Framework for IP Based Virtual
      Private Networks", RFC 2764, February 2000.

   [VPN-VR] Ould-Brahim H., et al., "Network based IP VPN Architecture
       using Virtual Routers", work in progress.


11. Intellectual Property Consideration

   The IETF has been notified of intellectual property rights claimed
   in regard to some or all of the specification contained in this
   document. For more information consult the online list of claimed
   rights.


12. Acknowledgments

   The authors would like to acknowledge the following individuals for
   their helpful comments and suggestions: Bilel Jamoussi, Don Fedyk,
   and Ahmad Khalid from Nortel Networks.


13. Author's Addresses

   Hamid Ould-Brahim
   Nortel Networks
   P O Box 3511 Station C
   Ottawa, ON K1Y 4H7
   Canada

   Phone: +1 (613) 765 3418








Ould-Brahim, et al.           July 2000                       [Page 9]
                  BGP/VPN: VPN Information Discovery      January 2001



   Gregory Wright
   Nortel Networks
   P O Box 3511 Station C
   Ottawa, ON K1Y 4H7
   Canada

   Phone: +1 (613) 765 7912
   Email: gwright@nortelnetworks.com


   Bryan Gleeson
   Nortel Networks
   2305 Mission College Blvd
   Santa Clara CA 95054
   USA

   Phone: +1 (505) 565 2625
   Email: bgleeson@shastanets.com



































Ould-Brahim, et al.           July 2000                      [Page 10]
                  BGP/VPN: VPN Information Discovery      January 2001




Full Copyright Statement

   Copyright (C) The Internet Society (date). All Rights Reserved. This
   document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
   are included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

































Ould-Brahim, et al.           July 2000                      [Page 11]