Internet Draft




Internet Engineering Task Force       M. Suzuki and J. Sumimoto, Editors
INTERNET-DRAFT                                                       NTT
Expires January 14, 2001                                   July 14, 2000


                   A Framework for Network-based VPNs
                 <draft-suzuki-nbvpn-framework-00.txt>

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.


Abstract

   The objective of this draft is to clarify a framework for
   standardizing the mechanisms supporting interoperable network-based
   virtual private networks (NBVPNs).  These are VPNs using IP
   facilities whose operation mechanisms are implemented within a
   network (or networks) and outsourced to one or more service
   providers.

   This draft first describes the assumed services of NBVPNs and
   clarifies the logical architecture model and reference model of
   NBVPN.  Considering the assumed services, this draft further
   clarifies the NBVPN requirements for interfaces and MIBs in the
   reference model.  It also surveys and discusses current technologies
   supporting NBVPNs such as tunneling, VPN identifier, routing, and
   QoS/SLA.  Additionally it will, in future, provide outline of the
   interface and MIB specifications and present criteria for achieving
   interoperability.



Suzuki & Sumimoto Ed.     Expires January 2001                  [Page 1]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


1. Objective and Scope of this Document

   The objective of this document is to clarify a framework for
   standardizing the mechanisms supporting interoperable network-based
   virtual private networks (NBVPNs).  This framework includes assumed
   services of NBVPN for which interoperable solutions need to be
   developed, a logical architecture model and reference model of NBVPN,
   requirements for interfaces and MIBs of the NBVPN reference model, an
   outline of the interface and MIB specifications, overview of related
   technologies, and criteria for achieving interoperability.

   A VPN is defined as an emulation of a private wide area network; in
   particular, a VPN using IP is called an IP-VPN [RFC2764].  Since IP-
   VPNs have lower costs and more flexible service provisioning than
   VPNs based on other technologies, various IP-VPN implementations have
   been developed and some of them have been used in public services.
   IP-VPNs are further classified into "network-based VPNs (NBVPNs)" and
   "customer premises equipment (CPE)-based VPNs."  The NBVPN is an IP-
   VPN whose VPN operations mechanisms are implemented within a network
   (or networks) and outsourced to one or more service providers (SPs)
   [RFC2764].  Compared with a CPE-based VPN, in which the VPN
   operations mechanisms are implemented in CPE, the NBVPN has the
   advantage of reducing the customer's overhead for VPN operations, so
   it is attracting the attention of Internet users and SPs.

   Looking at current implementations of NBVPNs, we see that a single
   technology cannot serve as the base technology, so various
   technologies such as MPLS [MPLS-ARC] [MPLS-FRAME] and IPsec [RFC2401]
   have been used.  However, there has been no theoretical or practical
   way of achieving interworking among NBVPNs even though they have
   similar mechanisms.  Thus, early provision of such a solution is
   eagerly awaited by Internet users and SPs.

   In order to support the standardization activity (responding to
   demands) to provide solutions for NBVPN interworking, this framework
   is created and serves as the basis for standardization in terms of
   architecture and specifications of NBVPNs.  This standardization work
   aims to avoid applying excessive constraints to the mechanisms and
   specifications of base technologies (e.g., tunneling mechanisms) so
   that future advances in the base technologies for NBVPN can also be
   accommodated within this framework.  This standardization work does
   not intend to modify any currently used mechanisms or specifications
   of the base technologies, either.

   The NBVPNs targeted by this framework are:

   o Virtual private routed networks, which are defined as an emulation
     of a multi-site wide area routed network using IP [RFC2764].



Suzuki & Sumimoto Ed.     Expires January 2001                  [Page 2]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   Excluded are:

   o NBVPNs using VPN native (non-IP) protocols as their base
     technologies.  However, this does not mean to exclude multi-
     protocol access to the NBVPN by users.

   o Virtual leased lines, which provide a point-to-point link between
     two user sites [RFC2764].

   o Virtual private dialup networks, which are defined as an emulation
     of on-demand isolated IP reachability from a remote user to a user
     site.  The remote user is connected via a dial-up PSTN or ISDN link
     [RFC2764].

   o Virtual private LAN segments, which are defined as an emulation of
     a LAN segment using Internet facilities [RFC2764].

   This standardization is expected to lead to the following benefits.

   o Benefits to SPs

     It will enable flexible NBVPN implementation over multi-vendor
     multi-mechanism subnetworks.  It will remove the constraint that
     all user sites of an NBVPN are limited to a specific vendor or
     mechanism.  It will also lead to a lower costs than with the
     uniform NBVPN implementation.

   o Benefits to customers

     Customers will have more chance to construct wider area (e.g.,
     international) NBVPNs as a result of the multi-SP multi-vendor
     environments provided by this technology.  They will also get
     cheaper NBVPN services.

   In this document, section 2 describes assumed services of NBVPNs,
   section 3 clarifies the logical architecture model and reference
   model for NBVPNs, section 4 clarifies requirements for interfaces and
   MIBs in the NBVPN reference model, and section 5 outlines interface
   and MIB specifications.  Moreover, section 6 surveys current
   mechanisms and discusses their issues, section 7 discusses criteria
   for achieving interoperability, and section 8 describes security
   considerations.









Suzuki & Sumimoto Ed.     Expires January 2001                  [Page 3]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


2. Assumed Services of NBVPNs

   This section describes assumed services of NBVPNs in order to extract
   the requirements for mechanisms to be standardized for interoperable
   NBVPNs.  They are provided to user sites by the networks.

2.1 Closed User Group (CUG)

   Various specific user sites forming a closed user group (CUG) can
   communicate with each other through an NBVPN.  Other user sites
   cannot reach them.  This is the basic service of an NBVPN.  Operation
   mechanisms are implemented within a network and the operations are
   performed by an SP.  This service prevents packets from being
   injected into the network without authorization.  It also prevents
   packets from being snooped on, modified in transit, or subjected to
   traffic analysis by unauthorized parties.  Private IP addressing may
   be used in a CUG.

2.2 Extranets

   Multiple NBVPNs are interconnected within the networks.  Access
   control (including packet filtering and address translation) may be
   applied between NBVPNs according to policy.  Interconnection of
   NBVPNs performed in user sites is outside the scope of this document.

2.3 QoS/SLA

   NBVPN-specific SLAs covering loss rates, jitter, latency, and
   bandwidth etc.  are guaranteed and/or differentiated.  Various
   classes of QoS are provided, although they may depend on the
   supporting technologies, e.g., IntServ [RFC2211] [RFC2212], DiffServ
   [RFC2474] [RFC2475], or L2 traffic engineering capabilities.

2.4 Dynamic Routing

   Unicast routing information is exchanged between user sites and NBVPN
   using routing protocol such as Open Shortest Path First (OSPF)
   [RFC2328] or Border Gateway Protocol 4 (BGP-4) [RFC1771].  Routing
   information about each user site can be exchanged between user sites.
   This service is essential for multihomed user sites, while the major
   purpose of multihoming is to improve reliability.

2.5 Multiprotocol Transport

   Traffic is carried between user sites using various different
   protocols.





Suzuki & Sumimoto Ed.     Expires January 2001                  [Page 4]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


2.6 Data Security

   Stronger security than that of the basic service is provided by
   encryption and authentication.

2.7 NBVPN over multiple SPs

   A single NBVPN is provided over multiple SPs.

2.8 Multicast

   Multicast packets forwarded from user sites are replicated in the
   networks and forwarded to multiple user sites.  Multicast routing
   information is exchanged between user sites and NBVPN using multicast
   routing protocol.

3. Logical Architecture Model and Reference Model for NBVPN

   This section describes the logical architecture model and reference
   model for NBVPN.  These will be used in mapping the NBVPN service
   descriptions in section 2 to NBVPN requirements described in section
   4.

3.1 Logical Architecture Model for NBVPN

   The logical architecture model for NBVPN describes functions and
   their relationship for implementing NBVPN.  Figure 3.1 shows the
   logical architecture model.

                    +-------------------------------+
                    | MIBs and Management Framework |
                    +-------------------------------+
                                    |
  +-------+ Access        VR             VR             Access +-------+
  |CPE of | link   +----+ tunnel  +----+ tunnel  +----+ link   | CPE of|
  |NBVPN A+--------| VR |=========| VR |=========| VR |--------|NBVPN A|
  +-------+        +----+         +----+         +----+        +-------+

                                                     VR: Virtual Router

                 Figure 3.1: Logical architecture model.










Suzuki & Sumimoto Ed.     Expires January 2001                  [Page 5]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


                 +----+          VR tunnel          +----+       +-----+
                 |    |=============================| VR |-------+ CPE |
   +-----+       |    |                             +----+       +-----+
   | CPE +-------| VR |
   +-----+       |    |          VR tunnel          +----+       +-----+
                 |    |=============================| VR |-------+ CPE |
                 +----+                             +----+       +-----+

   +-----+       +----+      +----+     +----+      +----+       +-----+
   | CPE +-------|    |      |    |     |    |======| VR |-------+ CPE |
   +-----+       |    |======|    |     |    |      +----+       +-----+
   +-----+       | VR |      |    |     |    |
   | CPE +-------|    |      | VR |=====| VR |
   +-----+       +----+      |    |     |    |
   +-----+       +----+      |    |     |    |      +----+       +-----+
   | CPE +-------| VR |======|    |     |    |======| VR |-------+ CPE |
   +-----+       +----+      +----+     +----+      +----+       +-----+

                    Figure 3.2: Example configurations
                 applying the logical architecture model.


   Figure 3.1 shows a generalized model.  It can represent various NBVPN
   configurations, as shown in Figure 3.2.  The entities in the logical
   architecture model are described below.

   o Virtual router (VR)

     A VR supports router functions dedicated to a serving NBVPN.  It
     has the following functions.

     - Routing function: A VR creates, modifies, and maintains a routing
       table of the serving NBVPN using routing protocols.

     - Forwarding function: A VR forwards IP packets within the NBVPN by
       looking up entries in the routing table.

     - Access control function: A VR may control access (packet
       filtering and address translation) from other NBVPNs or from the
       Internet.

   o VR tunnel

     A VR tunnel is a connection (isolated from other NBVPNs and the
     Internet) between VRs whose serving NBVPNs are identical.  A VR
     tunnel is terminated by VRs.  Note that intermediate devices
     between VRs may also support the tunnel mechanism for packet
     forwarding, but this topic is outside the scope of the logical



Suzuki & Sumimoto Ed.     Expires January 2001                  [Page 6]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


     architecture model.

   o CPE

     CPE provides the functionality of a NBVPN user site.

   o Access link

     An access link provides CPE with access to services associated with
     a specific NBVPN.  Note that a physical facility may multiplex
     multiple access lines, but this is outside the scope of this model.

   o MIBs and management framework

     These represent MIBs for managing the customer configuration
     associated with the concerned VPN, MIBs for managing VRs, and other
     devices constructing the concerned NBVPN and associated managing
     functions.

































Suzuki & Sumimoto Ed.     Expires January 2001                  [Page 7]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


3.2 Reference Model

   In order to clarify possible mapping between the logical architecture
   model given in section 3.1 and implementation as well as to clarify
   the targets of the standardization work, this section describes a
   reference model illustrating the reference configuration of the
   NBVPN.  Figure 3.3 shows the reference model.


        :      +----------------------------------------+      :
+-----+ :      |                                        |      : +-----+
|User | :      |                +------+             +------+  : | User|
|site | :      |    ED          | Edge |      ED     | Edge |  : | site|
| of  | :  +------+ tunnel :    |device|    : tunnel |device|  : |  of |
|NBVPN+-:--|      |========:====|      |====:========|      |--:-+NBVPN|
|  A  | :  |      |        :    +------+    :        +------+  : |  A  |
+-----+ :  | Edge |        :                :           |      : +-----+
+-----+ :  |device|    Network-facing-side interface    |      : +-----+
|User | :  |      |                 :                +------+  : | User|
|site +-:--|      |=================:================| Edge |--:-+ site|
| of  | :  +------+                 :                |device|  : |  of |
|NBVPN| :      |           |                |        |      |  : |NBVPN|
|  B  | :      |    +------+------+   +-----+-----+  +------+  : |  B  |
+-----+ :      |    |NMS for      |   |NMS for    |     |      : +-----+
        :      |    |customer MIBs|   |device MIBs|     |      :
        :      |    +-------------+   +-----------+     |      :
        :      |                                        |      :
        :      +----------------------------------------+      :
        :      |<------------- Network(s) ------------->|      :
        :      |     single or multiple SP domains      |      :
        :                                                      :
 Customer-facing-                                       Customer-facing-
  side interface                                         side interface

                      Figure 3.3: Reference model.


   o User site

     A user site represents an implementation of CPE in the logical
     architecture model.  A user site belongs to only one NBVPN,
     although it can reach other NBVPNs through an extranet service.  A
     user site is usually accommodated by a single edge device.
     However, four types of double-homing arrangements, shown in Figure
     3.4, are also supported.






Suzuki & Sumimoto Ed.     Expires January 2001                  [Page 8]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


                   +----------------                    +---------------
                   |                                    |
               +------+                             +------+
     +---------| Edge |                   +---------| Edge |
     |         |device|                   |         |device|   Network
     |         +------+                   |         +------+
  +-----+          |                   +-----+          |
  |User |          |                   |User |          +---------------
  |site |          |      Network      |site |          +---------------
  +-----+          |                   +-----+          |
     |         +------+                   |         +------+
     |         | Edge |                   |         | Edge |
     +---------|device|                   +---------|device|   Network
               +------+                             +------+
                   |                                    |
                   +----------------                    +---------------
  This type includes a user site connected
  to an edge device via two access lines.
                  (a)                                  (b)

                   +----------------                    +---------------
                   |                                    |
  +-----+      +------+                +-----+      +------+
  |User |------| Edge |                |User |------| Edge |
  |site |      |device|                |site |      |device|   Network
  +-----+      +------+                +-----+      +------+
     |             |                      |             |
     | Backdoor    |                      | Backdoor    +---------------
     | link        |      Network         | link        +---------------
     |             |                      |             |
  +-----+      +------+                +-----+      +------+
  |User |      | Edge |                |User |      | Edge |
  |site |------|device|                |site |------|device|   Network
  +-----+      +------+                +-----+      +------+
                   |                                    |
                   +----------------                    +---------------

                  (c)                                  (d)

          Figure 3.4: Four types of double-homing arrangements.


   o Networks

     NBVPN services are provided by one or more networks to user sites
     as members of the concerned NBVPN.  These networks support edge
     devices, ED tunnels, NMSs for customer and device MIBs.  In this
     document, "a network" means a singe domain of an SP.  The NBVPN



Suzuki & Sumimoto Ed.     Expires January 2001                  [Page 9]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


     operation in a network is outsourced to an SP, but the whole NBVPN
     operation may be spread over multiple SPs.

   o Edge device

     An edge device implements one or more VRs.  It is usually located
     at the edge of a network.  It may terminate access links.

   o ED tunnel

     An ED tunnel is a connection between EDs.  Multiple VR tunnels
     defined in section 3.1 may be multiplexed into a single ED tunnel.
     A number of IP tunneling protocols have been proposed, but in this
     document, three different ED tunneling mechanisms--that is MPLS,
     GRE, and IPsec--are considered to support NBVPN.  A single NBVPN
     may make use of a mixture of tunneling mechanisms.

     When MPLS is used for the ED tunneling mechanism, it is implemented
     by a LSP and two multiplexing schemes are supported.  The first
     scheme uses two-layer label stacking of the MPLS.  In this scheme,
     the multiple VR tunnels identified by second labels are multiplexed
     in the ED tunnel identified by the top label.  The second scheme is
     applicable when the MPLS network is implemented by ATM, and it uses
     the CPCS user-to-user field in the AAL5 trailer or the VPN-ID field
     in the VPN encapusulation header [RFC2684].  In this scheme, the
     multiple VR tunnels in the ED tunnel are identified by the CPCS-UU
     or VPN-ID field respectively.

     When GRE is used for the ED tunneling mechanism and the key field
     option is supported, the VR tunnels are identified by the key
     field.  Note that if the key field is not present, the ED tunnel
     supports only one VR tunnel.  When IPsec is used, they are
     identified by the SPI field.

     Note that when the ED tunnel is provided by GRE or IPsec, it may
     pass through another tunneling mechanism (e.g., an IPsec tunnel
     over an MPLS network).  In this document, an ED tunnel is identical
     to the tunnel that directly multiplexes VR tunnels and does not
     include underlying tunneling mechanisms.

     Figure 3.5 illustrates VR tunnel multiplexing.  Multiple VR tunnels
     supporting connections for NBVPNs are multiplexed into an ED
     tunnel.  This arrangement allows multiplexing of VR tunnels of
     different NBVPNs.







Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 10]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


    +-------------+                                  +-------------+
    |             |             ED tunnel            |             |
    |             |  +----------------------------+  |             |
    |  +-------+  |  :                            :  |  +-------+  |
    |  | VR of |========================================| VR of |  |
    |  |NBVPN A|  |  :          VR tunnel         :  |  |NBVPN A|  |
    |  +-------+  |  :                            :  |  +-------+  |
    |  +-------+  |  :                            :  |  +-------+  |
    |  | VR of |========================================| VR of |  |
    |  |NBVPN B|  |  :          VR tunnel         :  |  |NBVPN B|  |
    |  +-------+  |  :                            :  |  +-------+  |
    |  +-------+  |  :                            :  |  +-------+  |
    |  | VR of |========================================| VR of |  |
    |  |NBVPN C|  |  :          VR tunnel         :  |  |NBVPN C|  |
    |  +-------+  |  :                            :  |  +-------+  |
    |             |  +----------------------------+  |             |
    +-------------+                                  +-------------+
      Edge device                                      Edge device

                    Figure 3.5: VR tunnel multiplexing.


   o NMS for customer MIB

     An NMS that manages customer MIBs of an NBVPN.

   o NMS for device MIB

     An NMS that manages device MIBs of an NBVPN.

   The targets of the standardization work are the following two
   interfaces and MIBs illustrated in the reference model given in
   Figure 3.3.

   o Customer-facing-side interface

     An interface between a user site and an edge device.

   o Network-facing-side interface

     An interface between edge devices.

   o Customer MIBs

     MIBs of NBVPN customer attributes.






Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 11]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   o Device MIBs

     MIBs of device attributes, covering VRs and other devices
     constructing the concerned NBVPN.

3.3 Identifiers (IDs)

   Various IDs play a key role in specifying the interfaces and MIBs
   introduced in section 3.2.  Some of them are mutually dependent,
   i.e., an ID type is unique within the scope of another ID type.  For
   example, the ID of each edge device is defined as unique within the
   scope of the ID of the SP operating those edge devices.

   The IDs that have been identified so far are: service provider ID
   (SP-ID), VPN-ID, user site ID (US-ID), device ID (DEV-ID), logical
   port ID (LPORT-ID), ED tunnel ID (EDTUNNEL-ID), and VR tunnel ID
   (VRTUNNEL-ID).  A detailed VPN information model describing the
   relationship among these IDs is given in section 4 of this framework.

4. Requirements for Interfaces and MIBs

4.1 General Requirements

   The implementation providing an NBVPN must:

   o be scalable

   o be manageable

   o enable a single NBVPN to span multiple subnetworks implemented with
     different technologies.  For example, a single NBVPN must be able
     to span IPsec- and MPLS-based-subnetworks.

   o enable a single NBVPN to span multiple SPs.

4.2 Classification of Network-facing-side Interface

   In this section, the network-facing-side interface shown in Figure
   3.3 is classified into three specific interfaces.

   It is not necessary for a single SP's whole network to be constructed
   with a uniform technology.  As shown in Figure 4.1, different
   subnetworks may be implemented with different technologies.  In this
   case, an edge device must be placed at the edge of a subnetwork
   interconnecting with another subnetwork that is based on another
   technology.  In this document, it is called a subnetwork edge device
   (SED).




Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 12]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


    +---------------------------------------------------------------+
    | +-------------------+                   +-------------------+ |
    | |  ED               |  ED               |  ED             +----+
   +----+tunnel :       +---+tunnel :       +---+tunnel :       |Edge|
   |    |=======:=======|   |=======:=======|   |=======:=======|de- |
   |    |       :       |   |       :       |   |       :       |vice|
   |    |    Intra-     |   |  Subnetwork   |   |       :       +----+
   |Edge|  subnetwork   |   | interworking  |   |Intra-subnetwork | |
   |de- |   interface   |SED|   interface   |SED|   interface     | |
   |vice|       :       |   |       :       |   |       :       +----+
   |    |ED     :       |   |ED     :       |   |ED     :       |Edge|
   |    |tunnel :       |   |tunnel :       |   |tunnel :       |de- |
   |    |=======:=======|   |=======:=======|   |=======:=======|vice|
   +----+       :       +---+       :       +---+       :       +----+
    | |         :         |         :         |         :         | |
    | +-------------------+                   +-------------------+ |
    | |<- Subnetwork(s) ->|                   |<- Subnetwork(s) ->| |
    |   implemented with                        implemented with    |
    | a uniform technology                    a uniform technology  |
    |                                                               |
    +---------------------------------------------------------------+
    |<-------------------------- Network -------------------------->|

                Figure 4.1: Intra-subnetwork interface and
                    subnetwork interworking interface.

    +---------------------------------------------------------------+
    | +-------------------+                   +-------------------+ |
    | |                   |  ED               |                 +----+
   +----+   ED tunnel   +---+tunnel :       +---+   ED tunnel   |Edge|
   |    |===============|   |=======:=======|   |===============|de- |
   |    |               |   |       :       |   |               |vice|
   |    |               |   |       :       |   |               +----+
   |Edge|               |   |SP interworking|   |                 | |
   |de- |               |PED|   interface   |PED|                 | |
   |vice|               |   |       :       |   |               +----+
   |    |               |   |ED     :       |   |               |Edge|
   |    |   ED tunnel   |   |tunnel :       |   |   ED tunnel   |de- |
   |    |===============|   |=======:=======|   |===============|vice|
   +----+               +---+       :       +---+               +----+
    | |                   |         :         |                   | |
    | +-------------------+                   +-------------------+ |
    | |<---- Network ---->|                   |<---- Network ---->| |
    |                                                               |
    +---------------------------------------------------------------+
    |<------------------------- Networks -------------------------->|

                  Figure 4.2: SP interworking interface.



Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 13]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   Similarly, when a single NBVPN spans multiple SPs, edge devices
   should be placed at every SP interconnecting point as shown in Figure
   4.2.  In this document, they are called provider edge devices (PEDs).

   In the rest of this document, SEDs and PEDs are also simply called
   "edge devices" unless they need to be differentiated.

   The intra-subnetwork interface and subnetwork interworking interface
   are defined as shown in Figure 4.1.  The former interface exists
   between a pair of edge devices and is restricted to one or more
   subnetworks implemented with a uniform technology.  The latter
   interface exists between a pair of SEDs and connects two subnetworks
   implemented with different technologies.  The SP interworking
   interface is defined as shown in Figure 4.2.  It exists between a
   pair of PEDs and connects two SP networks.




































Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 14]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


4.3 Requirements for Identifiers

   This section clarifies the requirements for the identifiers to
   describe the requirements for the interfaces and MIBs.  Several
   identifiers are defined, as illustrated in Figure 4.3.

                   EDTUNNEL                    EDTUNNEL
                     -ID                         -ID
           DEV   VR   |                           |   VR   DEV
           -ID TUNNEL |                           | TUNNEL -ID
      LPORT  |  -ID   |                           |  -ID   |
US-ID  -ID   |    |   |                           |   |    |
   |    |    V    |   V         ED tunnel         V   |    V
   |    |  +----+ | +-+---------------------------+-+ | +----+
   V    |  |    | V :           VR tunnel           : V |    |
 +----+ |  |    |=+===================================+=|    |
 |    | V  |    |   :           VR Tunnel           :   |SED |
 |User| |  |    |=+===================================+=|    |
 |site+-+--|    |   :                               :   |    |
 |    | |  |    |   +-+---------------------------+-+   |    |
 +----+    |    |                                       +----+
           |Edge|               ED tunnel
 +----+ |  |de- |   +-+---------------------------+-+   +----+
 |    +-+--|vice|   :           VR tunnel           :   |    |
 |    | |  |    |=+===================================+=|    |    +----+
 |User|    |    |   :           VR tunnel           :   |    |    |    |
 |Site|    |    |=+===================================+=|    |  | |User|
 |    | |  |    |   :           VR tunnel           :   |    |--+-+site|
 |    +-+--|    |=+===================================+=|    |  | |    |
 +----+ |  |    |   :                               :   |Edge|    +----+
           |    |   +-+---------------------------+-+   |de- |
           +----+                                       |vice|    +----+
                                ED tunnel               |    |    |    |
           +----+   +-+---------------------------+-+   |    |  | |User|
           |    |   :           VR tunnel           :   |    |--+-+site|
           |    |=+===================================+=|    |  | |    |
           |PED |   :           VR tunnel           :   |    |    +----+
           |    |=+===================================+=|    |
           |    |   :                               :   |    |
           +----+   +-+---------------------------+-+   +----+

                        Figure 4.3: Identifiers.


   o SP-ID, which identifies each SP, must be unique at least within all
     the interconnected networks of SPs.  (In practice, it should be
     globally unique.)  This is necessary when a single NBVPN spans
     multiple SPs.



Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 15]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   o VPN-ID, which identifies each NBVPN, must be unique at least within
     each SP's network.

   o US-ID, which identifies each user site, must be unique at least
     within each SP's network.

   o DEV-ID, which identifies each edge device, must be unique at least
     within each SP's network.  The DEV-ID of a PED must be  unique at
     least within all the interconnected SP networks.

     Note: One of the IP addresses assigned to an edge device is usually
     used as DEV-ID.

   o LPORT-ID, which identifies a logical port, must be unique at least
     within each edge device containing the logical port.  Here, a
     logical port represents a terminating point of an access link
     accommodating a user site.

   o EDTUNNEL-ID, which identifies each ED tunnel, must be unique at
     least within each edge device supporting the ED tunnel.

   o VRTUNNEL-ID, which identifies each VR tunnel, must be unique at
     least within each ED tunnel supporting the VR tunnel.

   The scope of the identifiers is summarized in Figure 4.4.  It shows
   that the right-side identifier must be unique at least within the
   scope of the left-side identifier for each arrow.

     SP-ID +--> VPN-ID
           |
           +--> US-ID
           |
           +--> DEV-ID +--> LPORT-ID
                       |
                       +--> EDTUNNEL-ID ---> VRTUNNEL-ID

                     Figure 4.4: Scope of identifiers.


   When a single NBVPN spans multiple SPs, their identifiers, except for
   SP-ID, must satisfy one of the following conditions: 1) their
   mappings are predefined, 2) their mappings are dynamically built by a
   protocol, or 3) they are linked together with the SP-ID.

   The association among the identifiers must satisfy the following
   requirements.





Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 16]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   o The US-ID must be mapped to one or more pairs of DEV-ID and LPORT-
     ID to configure the accommodation of user sites.  Note that it is
     not necessary for the mapping to be built in a one-to-one manner
     because a user site may be connected to edge devices through
     multiple access links as shown in Figures 3.4(a) and (b).  In this
     case, the US-ID must be mapped to all the concerned pairs of DEV-ID
     and LPORT-ID.

   o The US-ID must be uniquely mapped to the VPN-ID to distinguish the
     NBVPN associated with the user site.

   o A pair of DEV-ID and LPORT-ID must be uniquely mapped to the VPN-ID
     to distinguish the NBVPN associated with the logical port.

   o A set of DEV-ID, EDTUNNEL-ID, and VRTUNNEL-ID must be uniquely
     mapped to the VPN-ID to support a VR tunnel.

4.4 Requirements for the Interfaces

4.4.1 Customer-facing-side Interface

   This section describes the requirements for the customer-facing-side
   interface shown in Figure 3.3.

   o Packet Format

     Every packet must have the usual IP packet format without VPN-aware
     encapsulation, except in the case of providing multiprotocol
     transport service where every packet must have a protocol-specific
     packet format without VPN-aware encapsulation.

   o QoS/SLA

     For QoS/SLA service, every access link connecting a user site and
     an edge device must support the specified QoS/SLA.

   o Dynamic Routing

     Route control must be supported independently per access link
     connecting a user site and an edge device.  For dynamic routing
     service, different routing protocols must be supported per access
     link.

4.4.2 Network-facing-side Interface

   This section describes the requirements for the three specific
   network-facing-side interfaces shown in Figures 4.1 and 4.2.




Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 17]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   o Packet Format

     Every packet must be encapsulated with the VRTUNNEL-ID.
     Multiprotocol transport service requires multiprotocol-over-IP
     encapsulation and data security service requires data encryption.

   o QoS/SLA

     For QoS/SLA service, every ED tunnel must support specified QoS/SLA
     per NBVPN.

   o Learning Other Edge Device Identifiers

     To set up tunnels between edge devices, every edge device must
     learn the DEV-ID of other edge devices.  Therefore, every edge
     device must support static configuration for tunneling and may
     support a learning protocol.

   o Tunnel Setup

     To set up tunnels between VRs associated with the same NBVPN, every
     edge device must support static configuration for tunneling and may
     support a tunnel setup protocol.  When edge devices support the
     protocol, the information exchanged between them includes the VPN-
     ID, EDTUNNEL-ID, VRTUNNEL-ID, QoS/SLA information for QoS/SLA
     service, data encryption and authentication information for data
     security service, and multiprotocol-over-IP encapsulation
     information for multiprotocol transport service.

     For multicast service, multicast traffic must be forwarded through
     the created tunnels.

     For data security service, the created tunnel must support data
     encryption and authentication.

   o Tunnel Management

     A protocol for monitoring tunnel states must be supported.

     A protocol for tunnel restoration must be supported.

   o Authentication and Encryption

     For data security service, a protocol for authentication and
     encryption must be supported.






Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 18]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   o Dynamic Routing

     Route control must be supported independently per NBVPN.

     Routing protocols on the SP interworking interface may support
     authentication.

     If policy routing is performed, routing protocols running between
     PEDs on the SP interworking interface may specify intermediate SPs
     by SP-ID in route distribution and then routing protocols running
     between PEDs on the intra-subnetwork and subnetwork interworking
     interface may also specify intermediate SPs by SP-ID in route
     distribution.

4.5 Requirements for MIBs

4.5.1 Customer MIB

   This section describes the requirements for the customer MIB shown in
   Figure 3.3.

   o Management information about user sites and customer attributes of
     NBVPN must be configured and maintained.  The information includes
     the US-ID, DEV-ID, LPORT-ID, VPN-ID, access control policy
     information for extranet service, routing protocols used for
     dynamic routing or multicast service, and QoS/SLA information for
     QoS/SLA service.

4.5.2 Device MIB

   This section describes the requirements for the device MIB shown in
   Figure 3.3.

   o The configuration and maintenance of multiple VRs must be
     supported.  Their management information includes IP routing
     information and access control policy information for extranet
     service.  For multiprotocol transport service, protocol-specific
     routing information must be managed instead of IP routing
     information.

   o The mappings between the LPORT-ID and VPN-ID must be configured and
     maintained.  For QoS/SLA service, the mappings between LPORT-ID and
     QoS/SLA information must also be configured and maintained.

   o Tunnel information must be configured and maintained.  It includes
     the EDTUNNEL-ID, VRTUNNEL-ID, tunnel states, QoS/SLA information
     for QoS/SLA service, and encryption and authentication information
     for data security service.



Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 19]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   o Routing protocols running between VRs and user sites must be
     configured and maintained per VR.  For multicast service, multicast
     routing protocols must also be supported.

   o Routing protocols running between VRs must be configured and
     maintained per VR.  For multicast service, multicast routing
     protocols must also be supported.

5. Outline of Interface and MIB Specifications

   (To be written)

6. Survey of Available Technologies

6.1 Tunneling

   Tunneling mechanisms provide isolated and secure communication
   between two user sites.  Available tunneling mechanisms include (but
   are not limited to): MPLS [MPLS-ARCH] [MPLS-FRAME] [MPLS-ATM], GRE
   [RFC2784] [GRE-EXT], and IPsec [RFC2401] [RFC2402].  In an NBVPN, a
   tunnel is a secure communication path within a network.  An edge
   device encapsulates a data packet incoming from a user site, and
   injects it into an appropriate tunnel.  The data packet traverses the
   network, and reaches the edge device on the far side.  In the course
   of traversal, the data packet may have transferred to other tunnels,
   if necessary.  The edge device then retrieves the data packet from a
   tunnel, and passes it to the destination user site.

   An informational RFC, "A Framework for IP Based Virtual Private
   Networks" [RFC2764], identifies ten desirable capabilities for
   tunneling technologies:

   o Multiplexing

   o Signaling protocol

   o Data security

   o Multiprotocol transport

   o Frame sequencing

   o Tunnel maintenance

   o Large MTUs

   o Minimization of tunnel overhead




Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 20]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   o Flow and congestion control

   o QoS/traffic management

6.1.1 MPLS [MPLS_ARCH] [MPLS_FRAME] [MPLS-ATM]

   Multiprotocol Label Switching (MPLS) is a method for forwarding
   packets through a network.  Routers at the edge of a network apply
   simple labels to packets.  A label may be inserted between the data
   link and network headers, or may be carried in the data link header
   (e.g., the VPI/VCI field in an ATM header).  Routers in the network
   switch packets according to the labels with minimal lookup overhead.
   A path, or a tunnel in the NBVPN, is called a "label switched path
   (LSP)."

   o Multiplexing

     LSPs may be multiplexed into another LSP.

   o Signaling Protocol, and Tunnel Maintenance

     LSPs are set up and maintained by LDP (Label Distribution Protocol)
     [VPN-CRLDP] or RSVP (Resource Reservation Protocol) [LSP-RSVP].

   o Data Security

     MPLS has no intrinsic security mechanisms.  Some other mechanisms
     such as IPsec may be used with it.

   o Multiprotocol Transport

     MPLS can carry data packets other than IP ones.

   o Frame Sequencing

     MPLS guarantees in-order delivery of packets.

   o Large MTUs

     MPLS does not restrict the MTU size.

   o Minimization of Tunnel Overhead

     The overhead of label switching should be minimal.







Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 21]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   o Flow & Congestion Control and QoS/Traffic Management

     MPLS does not have intrinsic flow control or QoS management
     mechanisms.  Some other techniques such as DiffServ may be used
     with it [DIFF-MPLS].

6.1.2 GRE [RFC2784] [GRE-EXT]

   Generic Routing Encapsulation (GRE) specifies a protocol for
   encapsulating an arbitrary payload protocol over an arbitrary
   delivery protocol [RFC2784].  In particular, it may encapsulate an IP
   payload packet over IP.  An endpoint encapsulates and decapsulates
   GRE packets.  A GRE tunnel is a communication path between two
   endpoints established by the use of GRE.

   o Multiplexing

     The current GRE specification [RFC2784] does not support
     multiplexing.  The key field, which is being proposed in [GRE-EXT],
     may be used as a multiplexing field.

   o Signaling Protocol and Tunnel Maintenance

     GRE is not equipped with standard ways for setting up and
     maintaining GRE tunnels.

   o Data Security

     GRE has no intrinsic security mechanisms.  Some other mechanisms
     such as IPsec may be used with it.

   o Multiprotocol Transport

     GRE is assumed to support any type of payload protocols.

   o Frame Sequencing, Large MTUs, Flow & Congestion Control, and
     QoS/Traffic Management

     Those capabilities depend on the delivery protocol.  The sequence
     field as proposed in [GRE-EXT] may be used to achieve in-order
     delivery.

   o Minimization of Tunnel Overhead

     The overhead of GRE depends on the choice of delivery protocols,
     but the GRE header overhead is designed to be minimal.





Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 22]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


6.1.3 IPsec [RFC2401] [RFC2402] [RFC2406] [RFC2409]

   IP Security (IPsec) provides security services at the IP layer
   [RFC2401].  It comprises authentication header (AH) protocol
   [RFC2402], encapsulating security payload (ESP) protocol [RFC2406],
   and Internet key exchange (IKE) protocol [RFC2409].  AH protocol
   provides data integrity, data origin authentication, and an anti-
   replay service.  ESP protocol provides data confidentiality and
   limited traffic flow confidentiality.  It may also provide data
   integrity, data origin authentication, and an anti-replay service.
   AH and ESP may be used in combination.

   IPsec may be employed in either transport or tunnel mode.  In
   transport mode, AH or ESP or both headers are inserted between the
   IPv4 header and the transport protocol header.  In tunnel mode, an IP
   packet is encapsulated with an outer IP packet header.  AH or ESP or
   both headers are inserted between them.  AH and ESP establish a
   unidirectional secure communication path between two endpoints, which
   is called a security association.  In tunnel mode, two security
   associations compose a tunnel.  IKE protocol is used to exchange
   encryption keys among IPsec endpoints.

   o Multiplexing

     The SPI field of AH and ESP is used to multiplex security
     associations (or tunnels) within a tunnel.

   o Signaling Protocol, and Tunnel Maintenance

     IKE is used for the setup and maintenance of tunnels.

   o Data Security

     IPsec is designed to provide security services at the IP layer.

   o Multiprotocol Transport

     IPsec needs extensions to carry packets other than IP.
     Alternatively, GRE may be used with it.

   o Frame Sequencing

     IPsec has a sequence number field which is used by a receiver to
     perform an anti-replay check, not to guarantee in-order delivery of
     packets.






Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 23]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   o Large MTUs

     IPsec does not restrict the MTU size.

   o Minimization of Tunnel Overhead

     IPsec may impose its own overhead.

   o QoS/Traffic Management

     IPsec itself does not have intrinsic QoS/Traffic Management
     capabilities.  Other mechanisms such as "RSVP Extensions for IPSEC
     Data Flows" [RFC2207] or DiffServ may be used with it.

   Note: IPsec is applicable to a CPE-based VPN as well as an NBVPN.
   This document deals with the aspects of IPsec that are relevant to an
   NBVPN.

6.2 VPN Identifiers

   An NBVPN spanning multiple autonomous systems requires the use of a
   globally unique VPN identifier such as "a pair of autonomous system-
   number and VPN-index local to autonomous system" and the "global VPN
   identifier" as specified in [RFC2685].  A globally unique VPN
   identifier may be included in an MIB for the VPN configuration.  It
   may also be included in an encapsulation header of a data packet or
   may be exchanged as a parameter of signaling messages.

   The global VPN identifier defined in [RFC2685] consists of a 3-byte
   VPN organizationally unique identifier that identifies a VPN
   administrative authority, and a 4-byte VPN index that identifies the
   VPN within the context of a given VPN administrator.  The VPN
   encapsulation header defined in [RFC2684] supports the global VPN
   identifier.  But, it must be noted that the global VPN identifier,
   which is 56-bit long, does not fit into the 20-bit MPLS label or into
   the 32-bit IPsec SPI field.

6.3 Routing

   Dynamic routing service as defined in section 2 requires the exchange
   of routing information between a network and user sites.  A list of
   applicable technologies is given in section 6.3.1.  The network may
   terminate a routing protocol, or it may transfer routing information
   between user sites transparently.







Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 24]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   The network must maintain its routing configuration with integrity.
   The applicable technologies are listed in section 6.3.2.

6.3.1 Exchange of routing information between network and user sites

   The following technologies are available for the exchange of routing
   information between a network and user sites.

   o Static routing

     Routing tables may be configured through a management system.

   o RIP (Routing Information Protocol) [RFC2453]

     RIP is an interior gateway protocol and is used within an
     autonomous system.  It sends out routing updates at regular
     intervals and whenever the network topology changes.  Routing
     information is then propagated by the adjacent routers to their
     neighbors and thus to the entire network.  A route from a source to
     a destination is the path with the least number of routers.  This
     number is called the "hop count" and its maximum value is 15.  This
     implies that RIP is suitable for a small- or medium-sized networks.

   o OSPF (Open Shortest Path First) [RFC1583]

     OSPF is an interior gateway protocol and is applied to a single
     autonomous system.  Each router distributes the state of its
     interfaces and neighboring routers as a link-state advertisement,
     and maintains a database describing the autonomous system's
     topology.  A link-state is advertised every 30 minutes or when the
     topology is reconfigured.

     Each router maintains an identical topological database, from which
     it constructs a tree of shortest-paths with itself as the root.
     The algorithm is known as the Shortest Path First or SPF.  The
     router generates a routing table from the tree of shortest-paths.
     OSPF supports a variable length subnet mask, which enables
     effective use of the IP address space.

     OSPF allows sets of networks to be grouped together into an area.
     Each area has its own topological database.  The topology of the
     area is invisible from outside of its area.  The areas are
     interconnected via a "backbone" network.  The backbone network
     distributes routing information between the areas.  The area
     routing scheme can reduce the routing traffic and compute the
     shortest-path trees and is indispensable for larger-scale networks.





Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 25]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


     Each multi-access network with multiple routers attached has a
     designated router.  The designated router generates a link state
     advertisement for the multi-access network and synchronizes the
     topological database with other adjacent routers in the area.  The
     concept of designated router can thus reduce the routing traffic
     and compute shortest-path trees.  To achieve high availability, a
     backup designated router is used.

   o IS-IS (intermediate system to intermediate system) [RFC1195]

     IS-IS is a routing protocol designed for the OSI (Open Systems
     Interconnection) protocol suites.  Integrated IS-IS is derived from
     IS-IS in order to support the IP protocol.  In the Internet
     community, IS-IS means integrated IS-IS.  In this, a link-state is
     advertised over a connectionless network service.  IS-IS has the
     same basic features as OSPF.  They include: link-state
     advertisement and maintenance of a topological database within an
     area, calculation of a tree of shortest-paths, generation of a
     routing table from a tree of shortest-paths, the area routing
     scheme, a designated router, and a variable length subnet mask.

   o BGP4 (Border Gateway Protocol version 4) [RFC1771]

     BGP4 is an exterior gateway protocol and is applied to the routing
     of inter-autonomous systems.  A BGP speaker establishes a session
     with other BGP speakers and advertises routing information to them.
     A session may be an External BGP (EBGP) that connects two BGP
     speakers within different autonomous systems, or an internal BGP
     (IBGP) that connects two BGP speakers within a single autonomous
     system.  Routing information is qualified with path attributes,
     which differentiate routes for the purpose of selecting an
     appropriate one from possible routes.  Also, routes are grouped by
     the community attribute [RFC1997] [BGP-COM].

     The IBGP mesh size tends to increase dramatically with the number
     of BGP speakers in an autonomous system.  BGP can reduce the number
     of IBGP sessions by dividing the autonomous system into smaller
     autonomous systems and grouping them into a single confederation
     [RFC1965].  Route reflection is another way to reduce the number of
     IBGP sessions [RFC1966].  BGP divides the autonomous system into
     clusters.  Each cluster establishes the IBGP full-mesh within
     itself, and designates one or more BGP speakers as "route
     reflectors," which communicate with other clusters via their route
     reflectors.  Route reflectors in each cluster maintain path and
     attribute information across the autonomous system.  The autonomous
     system still functions like a fully meshed autonomous system.  On
     the other hand, confederations provide finer control of routing
     within the autonomous system by allowing for policy changes across



Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 26]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


     confederation boundaries, while route reflection requires the use
     of identical policies.

6.3.2 Exchange of routing information within a network

   The following technologies can be used for exchanging routing
   information within a network.

   o Static routing

   o RIP

   o OSPF

   o BGP

   o Multiprotocol BGP4 [RFC2858]

     BGP4 has been extended to support IPv6, IPX, and others as well as
     IPv4 [RFC2283].  Multiprotocol BGP4 carries routes from multiple
     "address families."

   o Extended BGP4 [VPN-2547BIS]

     Extended BGP4 is a specific extension to Multiprotocol BGP4.  The
     notion of "VPN-IPv4 address family" is introduced in [VPN-2547BIS].
     A VPN-IPv4 address is 12 bytes long and consists of an 8-byte route
     distinguisher (RD) and a 4-byte IPv4 address.  Overlapping of the
     IPv4 address space among multiple NBVPNs is resolved by using
     different RDs.  Scalable configurations can be achieved by the use
     of route reflectors.

6.4 QoS/SLA

   The following technologies for QoS/SLA are applicable to an NBVPN.

6.4.1 ATM

   Asynchronous transfer mode (ATM) provides several service categories,
   such as CBR (constant bit rate) service, VBR (variable bit rate)
   service, and GFR (guaranteed frame rate) service.  CBR service is
   used to guarantee a static amount of bandwidth.  VBR service is
   designed for a wide range of applications, including real-time and
   non-real-time applications.  GFR service is designed for applications
   that may require a minimum rate guarantee and can benefit from
   accessing additional bandwidth.  [AF-TM-0121.000]





Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 27]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


6.4.2 IntServ/RSVP [RFC2205] [RFC2208] [RFC2210] [RFC2746] [RSVP-LSP]

   The integrated service, or IntServ for short, is a mechanism for
   providing QoS/SLA by admission control.  RSVP is used to reserve
   network resources.  The network needs to maintain a state for each
   reservation.  The number of states in the network increases in
   proportion to the number of concurrent reservations.

6.4.3 DiffServ [RFC2474] [RFC2475]

   The differentiated service, or DiffServ for short, is a mechanism for
   providing QoS/SLA by differentiating traffic.  Traffic entering a
   network is classified into several behavior aggregates at the
   network-edge and each is assigned a corresponding DiffServ codepoint.
   Within the network, traffic is treated according to its DiffServ
   codepoint.  Some behavior aggregates have already been defined.
   Expedited forwarding behavior [RFC2598] guarantees the QoS, whereas
   assured forwarding behavior [RFC2597] differentiates traffic packet
   precedence values.

7. Criteria for Achieving Interoperability

   (To be written)

8. Security Considerations

   (To be written)

9. References

   [RFC2764] Gleeson, B., Heinanen, J., et al., "A Framework for IP
   Based Virtual Private Networks, " RFC2764, February 2000.

   [RFC2547] Rosen, E., Rekhter, Y., "BGP/MPLS VPN, " RFC2547, March
   1999.

   [RFC2684] Grossman, D. and Heinanen J., "Multiprotocol Encapsulation
   over ATM Adaptation Layer 5," RFC2684, September 1999.

   [RFC2685] Fox B., Gleeson, B., "Virtual Private Networks Identifier,"
   RFC2685, September 1999.

   [VPN-2547BIS] Rosen, E., Rekhter, Y., et al., "BGP/MPLS VPNs,"
   Internet-draft <draft-rosen-rfc2547bis-01.txt>, May 2000.

   [VPN-REQ] Berkowitz, H., "Requirements Taxonomy for Virtual Private
   Networks," Internet-draft , October
   1999.



Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 28]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   [VPN-VR] Ould-Brahim H. and Gleeson, B., "Network based IP VPN
   Architecture Using Virtual Routers," Internet-draft , March 2000.

   [VPN-EXT] Casey, L., "An extended IP VPN Architecture," , November 1998.

   [VPN-IPSEC] Touch, J., Eggert, L., "Use of IPSEC Transport Mode for
   Virtual Networks," , March 2000.

   [VPN-CRLDP] Houlik, P., Zhang, Z., Balaji, S., "Extensions to CR-LDP
   for VPNs," <draft-zhang-crldp-ext-for-vpn-00.txt>, March 2000.

   [VPN-INTER] Sumimoto, J., et al,. "MPLS VPN Interworking" Internet-
   Draft ," February 2000.

   [VPN-MPLS1] Heinanen, J., Rosen, E., "VPN support with MPLS," , March 1998.

   [VPN-MPLS2] Heinanen, J. and Gleeson, B., "MPLS Mappings of Generic
   VPN Mechanisms," Internet-draft , August 1998.

   [VPN-MPLS3] Jamieson, D., et al., "MPLS VPN Architecture," , August 1998.

   [VPN-MPLS4] Casey, L., et al., "IP VPN Realization using MPLS
   Tunnels," Internet-draft <draft-casey-vpn-mpls-00.txt>, November
   1998.

   [VPN-MPLS5] Muthukrishnan K., Malis, A., "A Core MPLS IP VPN
   Architecture," Internet-draft , June 2000.

   [MPLS-ARCH] Rosen E., et al., "Multiprotocol Label Switching
   Architecture," Internet-draft <draft-ietf-mpls-arch-06.txt>, August
   1999.

   [MPLS-FRAME] Callon, R., Swallow, J., et al., "A Framework for
   Multiprotocol Label Switching," <draft-ietf-mpls-framework-05.txt>,
   September 1999

   [MPLS-ATM] Davie, B., et al., "MPLS using LDP and ATM VC Switching,"
   Internet-draft <draft-ietf-mpls-atm-04.txt>, June 2000

   [MPLS-DIFF] Awduche, O., et al., "MPLS Support of Differentiated
   Services," Internet-draft <draft-ietf-mpls-diff-ext-05.txt>, February
   2000.



Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 29]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   [MPLS-GMNCL] GMN-CL home page:
   http://www.gmncl.ecl.ntt.co.jp/top_e.html

   [RFC2784] Farinacci, D., et al., "Generic Routing Encapsulation
   (GRE)," RFC2784, March 2000.

   [GRE-EXT] Dommety, G., "Key and Sequence Number Extensions to GRE,"
   Internet-draft , June 2000.

   [RFC2401] Kent, S., Atkinson, R., "Security Architecture for the
   Internet Protocol," RFC2401, November 1998.

   [RFC2402] Kent, S., Atkinson, R., "IP Authentication Header,"
   RFC2402, November 1998.

   [RFC2406] Kent, S., Atkinson, R., "IP Encapsulating Security Payload
   (ESP)," RFC2406, November 1998.

   [RFC2409] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE),"
   RFC2409, November 1998.

   [RFC2453] Malkin, G., "RIP Version 2," RFC2453, November 1994.

   [RFC2328] Moy, J., "OSPF Version 2," RFC2328, April 1998.

   [RFC1195] Callon, R., "Use of OSI IS-IS for Routing in TCP/IP and
   Dual Environments," RFC1195, December 1990.

   [RFC1771] Rekhter, Y., Li, T., "A Border Gateway Protocol 4
   (BGP-4),"RFC1771, March 1995.

   [RFC1965] Traina, P., "Autonomous System Confederations for BGP,"
   June 1996.

   [RFC1966] Bates, T., "BGP Route Reflection: An alternative to full
   mesh IBGP," June 1996.

   [RFC1997] Chandra, R., Traina, P., Li, T., "BGP Communities
   Attribute," RFC1997, August 1996.

   [RFC2858] Bates, T., Chandra, R., Katz, D., Rekhter, Y.,
   "Multiprotocol Extensions for BGP-4," RFC2283, February 1998.

   [BGP-COM] Ramachandra, S., "BGP Extended Communities Attribute,"
   Internet-draft , May
   2000.

   [AF-TM-0121.000] "Traffic Management Specification Version 4.1," ATM



Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 30]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


   Forum, March 1999.

   [RFC2205] Braden, R., et al., "Resource ReSerVation Protocol (RSVP)
   -- Version 1 Functional Specification," RFC2205, September 1997.

   [RFC2208] Mankin, A., et al., "Resource ReSerVation Protocol (RSVP)
   Version 1 Applicability Statement Some Guidelines on Deployment,"
   RFC2208, September 1997.

   [RFC2210] Wroclawski, J., "The Use of RSVP with IETF Integrated
   Services," RFC2210, September 1997.

   [RFC2211] Wroclawski, J., "Specification of the Controlled-Load
   Network Element Service," RFC2211, September 1997.

   [RFC2212] Shenker, S., Partridge, C., Guerin, R., "Specification of
   Guaranteed Quality of Service," RFC2212, September 1997.

   [RFC2207] Berger, L., O'Malley, T., "RSVP Extensions for IPSEC Data
   Flows," RFC2207, September 1997.

   [RFC2746] Terzis, A., et al., "RSVP Operation Over IP Tunnels,"
   RFC2746, January 2000.

   [RSVP-LSP] Awduche, D., et al., "Extensions to RSVP for LSP Tunnels,"
   Internet-draft <draft-ietf-mpls-rsvp-lsp-tunnel-05.txt>, February
   2000.

   [RFC2474] Nichols, K., et al., "Definition of the Differentiated
   Services Field (DS Field) in the IPv4 and IPv6 Headers," RFC2474,
   December 1998.

   [RFC2475] Blake S., et al., "An architecture for Differentiated
   Services," RFC2475, December 1998.

   [RFC2597] Heinanen, J., et al., "Assured Forwarding PHB Group,"
   RFC2597, June 1999.

   [RFC2598] Jacobsen, V., et al., "An Expedited Forwarding PHB,"
   RFC2598, June 1999.

   [DIFF-TUN] Black, D., "Differentiated Services and Tunnels,"
   Internet-Draft , February 2000.








Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 31]

INTERNET-DRAFT     A Framework for Network-based VPNs         July, 2000


10. Authors' addresses

   Muneyoshi Suzuki
   NTT Information Sharing Platform Laboratories
   3-9-11 Midori-Cho, Musashino-Shi, Tokyo 180-8585 Japan
   Email: suzuki.muneyoshi@lab.ntt.co.jp

   Junichi Sumimoto
   NTT Information Sharing Platform Laboratories
   3-9-11 Midori-Cho, Musashino-Shi, Tokyo 180-8585 Japan
   Email: sumimoto.junichi@lab.ntt.co.jp

   Kosei Suzuki
   NTT Information Sharing Platform Laboratories
   3-9-11 Midori-Cho, Musashino-Shi, Tokyo 180-8585 Japan
   Email: suzuki.kosei@lab.ntt.co.jp

   Hiroshi Kurakami
   NTT Information Sharing Platform Laboratories
   3-9-11 Midori-Cho, Musashino-Shi, Tokyo 180-8585 Japan
   Email: kurakami.hiroshi@lab.ntt.co.jp

   Takafumi Hamano
   NTT Information Sharing Platform Laboratories
   3-9-11 Midori-Cho, Musashino-Shi, Tokyo 180-8585 Japan
   Email: hamano.takafumi@lab.ntt.co.jp

   Naoto Makinae
   NTT Information Sharing Platform Laboratories
   3-9-11 Midori-Cho, Musashino-Shi, Tokyo 180-8585 Japan
   Email: makinae.naoto@lab.ntt.co.jp

   Kenichi Kitami
   NTT Information Sharing Laboratory Group
   3-9-11 Midori-Cho, Musashino-Shi, Tokyo 180-8585 Japan
   Email: kitami.kenichi@lab.ntt.co.jp















Suzuki & Sumimoto Ed.     Expires January 2001                 [Page 32]