Internet Draft






Network Working Group                                   Jeremy De Clercq
Internet Draft                                              Yves T'Joens
Expiration Date: January 2001                         Peter De Schrijver
                                                                 Alcatel

                                                               July 2000

                             BGP/IPsec VPN

                 <draft-declercq-bgp-ipsec-vpn-00.txt>

Status of this Memo

   This document is an Internet-Draft and is in  full  conformance  with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents  of  the  Internet  Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft  documents  valid  for  a  maximum  of  six
   months.  Internet-Drafts  may  be  updated, replaced, or obsoleted by
   other documents at any time.  It is not appropriate to use  Internet-
   Drafts  as  reference  material  or  to  cite  them  other  than as a
   ``working draft'' or ``work in progress.''

     The list of current Internet-Drafts can be accessed at
     http://www.ietf.org/ietf/1id-abstracts.txt

     The list of Internet-Draft Shadow Directories can be accessed at
     http://www.ietf.org/shadow.html.


   To view the entire list of current Internet-Drafts, please check  the
   "1id-abstracts.txt"  listing  contained in the Internet-Drafts Shadow
   Directories  on  ftp.is.co.za   (Africa),   ftp.nordu.net   (Northern
   Europe),  ftp.nis.garr.it  (Southern  Europe),  munnari.oz.au(Pacific
   Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).

   Distribution of this memo is unlimited.


Abstract

   This document describes a method by which a Service Provider may  use
   an  IP backbone to provide VPNs for its customers.  IPsec tunnels are
   deployed through the backbone, and the forwarding of packets over the
   backbone   relies   on   normal  IP  forwarding.   BGP  is  used  for
   distributing (private) routes over the backbone.

   This model is based on the model described in RFC 2547 [RFC2547], and
   the   internet-draft   that   obsoletes  it  [RFC2547bis].  The  main
   difference is that in this model IPsec is used as tunneling mechanism
   instead of MPLS.




De Clercq, et al.        Expires December 2000                  [Page 1]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   The purpose of extending on the procedures defined in  [RFC2547],  is
   to  offer  an  increased  level  of  security  by  building  upon the
   authentication and encryption services  of  IPsec,  particularly  for
   interdomain  VPN operation, while it has the added benefit that no PE
   to PE MPLS backbone is required.

   Note however that the model does not  exclude  the  use  of  MPLS  in
   segments of the backbone to improve on traffic engineering and/or QoS
   aspects.










































De Clercq, et al.        Expires December 2000                  [Page 2]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


Table of Contents

1        Introduction  ..............................................  4
1.1      Motivation  ................................................  4
1.2      Virtual Private Networks  ..................................  4
1.3      Edge Devices  ..............................................  5
1.4      Multiple Routing and Forwarding Instances in PEs  ..........  5
1.5      VPNs with Overlapping Address Spaces  ......................  6
1.6      VPNs with Different Routes to the Same System  .............  6
1.7      SP Backbone Routers  .......................................  7
1.8      Security  ..................................................  7
1.9      Using IPsec in the Backbone  ...............................  7
2        Sites and CEs  .............................................  8
3        VPN Routing and Forwarding Instances  ......................  8
4        The VPN-SPI  ...............................................  9
4.1      Introduction  ..............................................  9
4.2      The VPN-SPI in the IKE negotiation  ........................ 10
4.2.1    VPN-SPI format, V-flag = 1  ................................ 10
4.2.2    Non-VPN-SPI format, V-flag = 0  ............................ 12
4.2.3    Use of the VPN-SPI in the IKE negotiation  ................. 13
4.3      The VPN-SPI in the IPsec processing  ....................... 13
4.3.1    Format and Interpretation of the VPN-SPI
         in the IPsec processing  ................................... 14
4.3.2    Outbound IPsec processing  ................................. 14
4.3.3    Inbound IPsec processing  .................................. 15
4.4      Use of the VPN-SPI after the inbound IPsec processing  ..... 15
4.5      Achievement  ............................................... 15
5        VPN Route Distribution via BGP  ............................ 16
5.1      The VPN-IPv4 Address Family  ............................... 16
5.2      Controlling Route Distribution  ............................ 16
5.2.1    The Route Target Attribute  ................................ 17
5.2.2    The SPI-label Attribute  ................................... 17
5.2.3    Route Distribution among PEs by BGP  ....................... 19
5.2.4    How VPN-IPv4 NLRI is Carried by BGP  ....................... 20
5.2.5    Building VPNs using Route Targets  ......................... 21
6        Forwarding across the Backbone  ............................ 21
7        How PEs learn Routes from CEs  ............................. 21
8        How CEs learn Routes from PEs  ............................. 22
9        Inter-Provider Backbones  .................................. 23
10       Use of an MPLS Backbone  ................................... 23
11       Security  .................................................. 24
12       Scalability  ............................................... 24
13       References  ................................................ 25
14       Acknowledgements  .......................................... 25
15       Authors' Addresses  ........................................ 25






De Clercq, et al.        Expires December 2000                  [Page 3]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


Specification of Requirements

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",  "SHALL  NOT",
   "SHOULD",  "SHOULD  NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

1.0 Introduction

   Most of the definitions used in this introduction come from the model
   presented in [RFC2547bis]. For the sake of completeness, we introduce
   them in this document too.

1.1 Motivation

   This document proposes a model to deploy VPNs  that  extends  on  the
   model  presented  in  [RFC2547bis].  The purpose of extending the VPN
   procedures described in [RFC2547bis] is twofold:

      a) The IPsec based VPN model does not require the presence  of  an
      MPLS-aware  backbone.  Thereby  allowing  a  wider  deployment  of
      inter-provider backbone VPNs.  Note that the usage  of  MPLS  over
      certain  segments  of  the  backbone is not excluded, and could be
      used for traffic engineering and QoS purposes.

      b) The IPsec based VPN model  offers  stronger  security  services
      than  the  "layer-2"  security  offered  by the model described in
      [RFC2547bis].  Note  that  while  "layer-2"  security   might   be
      sufficient  for  intra-domain  VPN operation, it might be short in
      providing security  when  building  VPNs  over  multiple  adjacent
      backbones, some of which might not even be VPN aware.

   This document proposes an IPsec based  VPN  model  that  is  easy  to
   combine  with  [RFC2547bis] and that offers the additional advantages
   stated before.

   Note further that the procedures as described in this document do not
   require  any  extensions to the IPsec framework, and as such can make
   use of an existing implementation base.

1.2 Virtual Private Networks

   Like in [RFC2547bis], we consider a set of "sites" which are attached
   to a common network which we call the "backbone". On this topology we
   apply some policy to create a number of subsets of that set of sites,
   and  we impose the following rule: two sites may have IP connectivity
   over that backbone only if at least one  of  these  subsets  contains
   them both.




De Clercq, et al.        Expires December 2000                  [Page 4]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   The subsets that we  have  created  are  "Virtual  Private  Networks"
   (VPNs).  Two sites have IP connectivity over the common backbone only
   if there is some VPN that contains them both. Two sites which have no
   VPN in common, have no connectivity over that backbone.

   We consider the case where the owner and operator of  the  "backbone"
   is  a  Service Provider (SP), and where the owners of the "sites" are
   the customers of that SP. In this  document,  we  discuss  mechanisms
   that may be used to implement the policies to determine whether a set
   of sites belong to a certain VPN. We  don't  focus  on  the  question
   whether  it is the SP or the customer that implements these policies,
   though this model allows for both approaches.

   The model presented in this document allows for the deployment  of  a
   wide   range   of   policies   (leading  to  different  communication
   topologies: full mesh, hub and spoke, ...).


1.3 Edge Devices

   We suppose that at each site, there are one  or  more  Customer  Edge
   (CE) devices, each of which is attached via some sort of data link to
   one or more Provider Edge (PE) routers.  Routers  in  the  Provider's
   network  backbone  which  do not attach to CE devices are known as "P
   routers".

   The CE device may be a single  host,  it  may  be  a  switch  if  the
   considered site is a single subnet, and in general, the CE device may
   be expected to be a router.

   We will say that a PE router is 'attached to a VPN' if it is attached
   to a CE device that is in that VPN.

   When the CE device is a router, it is a routing peer of the PE(s)  it
   is  attached  to  (by means of any routing protocol), but it is NOT a
   routing peer of the other CE routers in the other sites, even if they
   are  in  a  common  VPN.  Routers  at different sites do not directly
   exchange routing information with each other, they even don't have to
   know of each other's existence at all. Like in the BGP/MPLS VPN model
   [RFC2547bis], in this document, a VPN is not an "overlay" on  top  of
   the  SP's  network,  and  a  VPN  customer  does not have to manage a
   "virtual backbone" in the SP's backbone.

1.4 Multiple Routing and Forwarding Instances in PEs

   Every PE router maintains a number  of  separate  forwarding  tables.
   Every site to which the PE is attached must be mapped on one of these
   forwarding tables. In the scope of this document,  we  will  use  the



De Clercq, et al.        Expires December 2000                  [Page 5]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   term  VRF  (VPN  Routing  and  Forwarding  Instance)  to describe the
   instances in the PE that do the  forwarding  and  the  routing  in  a
   specific  context  and  that  contain  a specific separate forwarding
   table.

   So this means that every site is mapped to a particular VRF.

   When a packet is received by a PE router from a  specific  site,  the
   VRF associated with that site must be used to handle that packet. The
   forwarding table in a VRF associated with a particular site  must  be
   populated  ONLY  with  routes that lead to sites that have at least a
   VPN in common with the considered site. This  prevents  communication
   between sites that are not in the same VPN.

   The way this 'selective population' of routing  tables  is  done,  is
   explained further in this document.

   The relationship between sites and VRFs is a one-to-one or  a  multi-
   to-one  relationship.  More  than one site can be associated with the
   same VRF only if they have access to the same set of routes (if  they
   have all their VPNs in common).

   A PE router is "attached" to a site when it is  the  endpoint  of  an
   interface  or  "sub-interface" (PVC, VLAN, etc.) whose other endpoint
   is a CE device. It is the interface through which the PE  received  a
   packet that identifies the VRF to send the packet to.

1.5 VPNs with Overlapping Address Spaces

   An important requirement for VPNs is that different VPNs must be able
   to  use  overlapping  private  address  spaces. This model allows the
   usage of overlapping address spaces, for VPNs that do not have  sites
   in common.

   The fact that sites in different VPNs are mapped  to  different  VRFs
   (thus to different routing and forwarding contexts) in the PEs, makes
   it possible for different VPNs to have overlapping address spaces.

   The usage of the IPsec tunnel mode in the backbone network hides  the
   private  addresses  in that backbone, so that also there all possible
   ambiguity disappears when using overlapping address spaces.


1.6 VPNs with Different Routes to the Same System

   As it is stated in [RFC2547bis], the fact that  routes  are  included
   independently  in  the  different VRFs makes it possible to introduce
   (in different VRFs) different routes to the very same system, so that



De Clercq, et al.        Expires December 2000                  [Page 6]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   the  route  to  a certain system is dependent of the VRF that handles
   the packet (i.e. dependent of the origin of the packet). This can  be
   used to create (more) complex communication topologies.

1.7 SP Backbone Routers

   The SP's backbone consists of  the  PE  routers,  as  well  as  other
   routers which are not attached to CE devices ("P routers").

   The model  presented  in  this  document  does  not  impose  any  VPN
   knowledge  on the P routers, nor does it request the use of e.g. MPLS
   in the backbone network. The only requirement for the  P  routers  is
   that  they  are  regular  IP  routers,  and  that  they  maintain /32
   addresses for every PE participating in the BGP/IPsec VPN context.

   The routing information about a particular VPN is only present in the
   PE routers that attach to that VPN.

1.8 Security

   The model to deploy VPNs described in this document, offers two kinds
   of  security  measures.   The first Security aspect is offered by the
   IPsec Security Protocols.  The IP traffic sent over  the  backbone(s)
   is  sent  through  IPsec  tunnels,  so  that  it can be encrypted and
   authenticated.   This  allows  for  the  deployment  of   VPNs   over
   untrusted,  not  participating  backbones.   This provides a PE to PE
   end-to-end security service.

   In  addition,  in  the  absence  of  misconfiguration  or  deliberate
   interconnection  of different VPNs, it is not possible for systems in
   one VPN to gain access to systems in another VPN.

1.9 Using IPsec in the backbone

   In the model presented in this document,  the  IP  security  protocol
   [RFC2401]  is  used  instead of MPLS to tunnel IP packets through the
   backbone of the network.

   Because there  is  no  concept  of  "label-stacking"  in  IPsec,  the
   straightforward way of providing IPsec network-based VPNs would be to
   deploy a full mesh of Security Associations between  the  VRFs  among
   the  participating PEs. This would cause serious scalability problems
   and is therefor not applicable for large networks.

   The scalability problems arise because:

   a) every VRF in a PE needs to  maintain  Security  Associations  with
   every VRF from the peer PEs that are attached to the same VPN(s).



De Clercq, et al.        Expires December 2000                  [Page 7]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   b) the creation of a new VRF in a certain PE requires the creation of
   new   Security   Associations   via   IKE-exchanges   with   all  the
   participating PEs.

   The model presented in this document provides a way to  deploy  IPsec
   network-based  VPNs  in a scaleable manner. There is only a full mesh
   of SAs between participating PEs, not between VRFs. The selection  of
   the  correct VRF when a packet arrives at the end of the IPsec tunnel
   (the goal of the second label in the [RFC2547]-model) is based on the
   Security  Parameter  Index. This means that a method must be provided
   to link a pool of SPIs with a single Security Association instead  of
   the usual one-to-one relationship between a SA and a SPI.

   This model resolves this by introducing the concepts of an SPI-prefix
   and an SPI-label.

2.0 Sites and CEs

   This document uses the same definitions and imposes the  same  global
   behaviour on the sites and the CEs as [RFC2547bis].

   From the perspective of a particular backbone network, a  set  of  IP
   systems   constitutes   a  site  if  those  systems  have  mutual  IP
   interconnectivity, and communication among them  occurs  without  the
   use of the backbone.

   A CE device is always regarded as being in a single  site  (though  a
   site  may  consist  of  multiple  "virtual  sites", see later in this
   section). A site may belong to multiple VPNs.

   A PE router may attach to CE  devices  in  any  number  of  different
   sites, whether those CE devices are in the same or in different VPNs.
   A CE device may (for robustness for example) attach to multiple  PEs,
   of the same or of different SPs.

   While we use the site as  the  basic  unit  of  interconnection,  the
   architecture of [RFC2547bis] allows for a finer degree of granularity
   in the  control  of  interconnectivity.  These  techniques  are  also
   applicable  in  this  model.  The customer itself may divide its site
   into different "virtual sites", each belonging to a different set  of
   VPNs.  The  PE  then needs to contain a separate VRF for each virtual
   site. The way this can be done is explained in [RFC2547bis].


3.0 VPN Routing and Forwarding Instances

   Each PE router maintains one or more "per-site-forwarding tables". As
   stated  before,  these  are  known  as  VRFs,  or  "VPN  Routing  and



De Clercq, et al.        Expires December 2000                  [Page 8]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   Forwarding" instances. Every site to which the PE router is  attached
   is  associated  with  one  of  these  tables.  A  particular packet's
   (private) IP destination address is looked up  in  a  particular  VRF
   only  if  that  packet  has  arrived  directly  from  a site which is
   associated with that table.

   In a PE router, the following rules apply:

   - sub-interfaces may be mapped to VRFs

   - the mapping between sub-interfaces (sites) to VRFs  is  many-to-one
   or one-to-one

   - the VRF in which a packet's destination address  is  looked  up  is
   determined by the sub-interface over which it is received

   - two sub-interfaces (sites) may not be mapped to the same VRF unless
   the  same  set of routes is meant to be available to packets received
   over either sub-interface (both sub-interfaces "are in the  same  set
   of VPNs").

   The way by means of which VRFs are populated is explained further  in
   this document.

   If a site is in multiple VPNs, the  VRF  associated  with  that  site
   contains  the routes from the full set of VPNs of which the site is a
   member.

   [RFC2547bis] gives two basic methods for  providing  Internet  access
   over  an interface that is associated with a VRF: the VRF may contain
   a default route which leads to a firewall; or, if no entry in the VRF
   matches the destination address, the packet's destination address may
   be matched against the PE's Internet forwarding table.

   When a PE receives a packet from a directly attached site, it  always
   looks  up  the  packet's  destination  address  in  the  VRF which is
   associated with that site. However, when a PE receives a packet which
   is destined to go to a particular directly attached site, it does not
   necessarily need to look up the packet's destination address  in  the
   appropriate  VRF (although in some cases it will need to). The packet
   may already be carrying enough information (in the form of a VPN-SPI,
   see section 4.4) to determine the packet's outgoing sub-interface.

4.0 The VPN-SPI

4.1 Introduction

   The Security Architecture for the Internet Protocol [RFC2401] defines



De Clercq, et al.        Expires December 2000                  [Page 9]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   a  Security  Association  (SA)  as a unidirectional "connection" that
   affords security services to the traffic  carried  by  it.  It  is  a
   relationship   between   two   entities,  represented  by  a  set  of
   information that can be considered a contract between the entities. A
   Security  Association  is  identified  by  a  triple  consisting of a
   Security Parameter Index (SPI), an  IP  Destination  Address,  and  a
   security  protocol  (AH  or  ESP).  The  SPI is used to differentiate
   between different Security Associations to the  same  IP  Destination
   Address,  using  the  same  security  protocol.  The SPI is a pseudo-
   random 32-bit number for which no formal format has been defined.

4.2 The VPN-SPI used in the IKE Negotiation

   This document presently defines two SPI-formats  and  interpretations
   to  be  used in the IKE negotiation phase: a VPN-SPI format (V-flag =
   1), and a non-VPN-SPI format (V-flag = 0). The way to  interpret  the
   SPI  in  IKE  is  dependent on the value of the first SPI bit: the V-
   flag.

4.2.1 VPN-SPI format, V-flag = 1

   It is assumed in this document that the peer  PE  that  receives  the
   packets  through  an  IPsec  tunnel  identified by a certain SPI, has
   chosen this SPI associated with  the  considered  tunnel  during  the
   IKE-negotiation.

   Provider Edge Routers that use IKE to establish IPsec tunnels between
   them  to  be  used  in the BGP/IPsec VPN context,  MUST interpret the
   negotiated SPIs according to the format defined in this document.

   This model assumes that for the inbound ("inbound" is used to  denote
   the process of handling packets coming out of the IPsec tunnel) IPsec
   SA selection, the following identifiers are used: the Destination  IP
   address  of the outer IP header, the Security Protocol (AH or ESP) in
   the security header of the IPsec packet, the SPI, and eventually  the
   Source  IP  address  of  the outer IP header. Although the use of the
   Source IP Address in the  outer  IP  header  during  the  inbound  SA
   selection  process  is  not  standardized, it is recommended to do so
   when using this model.

   In the model described by this document, every PE  should  define  at
   least  one  "SPI-prefix"  per participating peer PE. If the source IP
   address in the outer IP header of an incoming IPsec packet can not be
   used  to  select  the  appropriate  SA  (next  to  the destination IP
   address, the security protocol and the SPI), then these  SPI-prefixes
   must  be different for every peer PE. But if the source IP address in
   the outer IP header of an incoming IPsec packet can be used to select
   the  appropriate  SA, then platform-wide SPI-prefixes can be assigned



De Clercq, et al.        Expires December 2000                 [Page 10]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   (this means the same SPI-prefix for every peer PE).

   A reason to assign more than one SPI-prefix to a certain PE, could be
   that  two  PEs  could maintain multiple SAs, because some VPN traffic
   needs stronger protection than other VPN traffic.

   Every PE must choose a  certain  (platform-wide)  SPI-prefix  length.
   Even  if  different  SPI-prefixes are chosen by a certain PE (for its
   different peer PEs for example), their length must be the  same.  The
   length  of  the SPI-prefixes chosen by the other PEs may of course be
   different. The length of any SPI-prefix MUST be shorter than 27 bits.

   This means that every PE must do the following things  (independently
   of the other PEs):

   - choose a fixed SPI-prefix length, shorter than 27 bits.

   - if the Source IP address of the outer IP header can not be used  by
   the  inbound  IPsec  process  in the PE for the SA selection process:
   associate at least one SPI-prefix (of the defined length) with  every
   peer PE. These SPI-prefixes must be unique within the context of a PE
   (each one identifies a peer PE).

   - if the Source IP address of the outer IP header can be used by  the
   inbound  IPsec  process in the PE: associate at least one  SPI-prefix
   (of the defined length) with every peer PE. These  SPI-prefixes  must
   not be unique.

   In the regular IKE specifications, the SPI is defined  as  a  pseudo-
   randomly  generated number.  This document imposes a formal format on
   the SPI used in the IKE negotiation under the  conditions  applicable
   in  this  section of the document.  This allows the negotiating peers
   to interpret the SPIs as belonging to  a  BGP/IPsec  VPN-environment,
   and  to  negotiate  about  SPI-pools instead of about single SPIs, so
   that  multiple  SPIs  can  be  associated  with  a  single   Security
   Association.

   The formal format for the VPN-SPI used  in  IKE-negotiations  is  the
   following:

   0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |V|   len   |                    prefix                         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   V-flag:




De Clercq, et al.        Expires December 2000                 [Page 11]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


      This flag is used to differentiate  IKE-negotiations  about  IPsec
      tunnels  to be interpreted in the BGP/IPsec VPN context (V = 1) or
      in another context (V = 0). In the VPN-SPI context, this flag MUST
      be set to 1.

   len:

      This 5-bits field defines the length of the prefix included in the
      prefix-field of the VPN-SPI.

   prefix:

      This 26-bit field contains the left-aligned SPI prefix. The length
      of the SPI-prefix is defined by the len-field of the VPN-SPI.  The
      length of the SPI-prefix MUST be smaller than 27 bits.  The  other
      (=  26  - length) bits must be set to 0 and should be ignored when
      received.

   The length of the VPN-SPI prefix may be chosen in an intelligent way:
   the  length  of the prefix is proportional with the maximum number of
   Security Associations with a peer PE in the BGP/IPsec VPN context and
   -  if  the  source  IP  address  can  not be used in the SA selection
   process - with the number of PEs participating in the  BGP/IPsec  VPN
   scenario;  the length of the label (= 32 bits - length of the prefix)
   is proportional with the number of VRFs  to  be  implemented  in  the
   considered PE.

   This means for example that a PE may choose a prefix-length of  0  if
   it is able to use the source IP address of the outer IP header in the
   inbound SA selection process, and if it wants only one SA with  every
   peer  PE  in  the  BGP/IPsec  VPN  context  (so  that all the traffic
   receives the same protection). In that example,  the  correct  SA  is
   then  selected solely based on the source IP address, the destination
   IP address, the security header and the complete SPI (if the SPI does
   not  refer  directly  to  a SA with the considered peer PE, but it is
   assigned as a label, then the BGP/IPsec VPN SA with the peer PE  must
   be used). This prefix length of 0 allows for a 32-bit SPI-label space
   and the deployment of a large number of VRFs in the considered PE.

4.2.2 non-VPN-SPI format, V-flag = 0

      0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |V|                  pseudo-random value                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The SPI format used in the IKE negotiation in the non-VPN-SPI context



De Clercq, et al.        Expires December 2000                 [Page 12]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   does  differ  from  the  normal  SPI  format  (a pseudo-random 32-bit
   number) on only one point: the first bit MUST be set to 0.

   V-flag:

      this flag  is  used  to  differentiate  negotiations  about  IPsec
      tunnels  to  be  interpreted  in the BGP/IPsec VPN context (V = 1)
      from other contexts (V = 0). In the non-VPN-SPI context, this flag
      MUST be set to 0.

   pseudo-random value:

      this 31-bit field contains a pseudo-random number.

4.2.3 Use of the VPN-SPI during the IKE negotiation

   During a normal IKE negotiation, two SAs are being set-up.  The  SPIs
   identifying these SAs are chosen by the receiving party.

   Every PE participating in the BGP/IPsec VPN scenario  MUST  define  a
   VPN-SPI prefix per peer PE, with a certain length.

   The receiving PE (i.e. the PE that will receive  the  IPsec  packets)
   must  now  form 32-bit VPN-SPIs as described in section 4.2.1 for the
   BGP/IPsec VPN SA negotiation via IKE with every peer  PE.  To  create
   these  VPN-SPIs, the PE sets the V-bit to 1, sets the length-field to
   the correct value and inserts the correct SPI-prefix in  the  correct
   field.  A  particular  VPN-SPI  must be used in all the IKE-exchanges
   with the appropriate peer PE in the BGP/IPsec VPN context.

   As a result of these IKE exchanges, every PE has at least  1  inbound
   SA  with  every other PE for the BGP/IPsec VPN context. These SAs are
   identified by:

   - the destination IP address

   - the security protocol (AH or ESP)

   - the V-bit of the VPN-SPI

   - the unique (i.e. different for every peer PE) SPI-prefix  when  the
   Source IP Addresses are not used

   - the SPI-prefix and the Source IP address when  the  Source  address
   may be used

4.3 The VPN-SPI in the IPsec processing




De Clercq, et al.        Expires December 2000                 [Page 13]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


4.3.1 Format and interpretation of the VPN-SPI in the IPsec processing

   The SPI that will finally been inserted in the  security  headers  of
   the IPsec packets has the following format:

      0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      prefix  ..  |  ..              label                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   prefix:

      This field identifies the SA to associate an  IPsec  packet  with.
      The  length  of  this  prefix-field was negotiated during the IKE-
      negotiation.

   label:

      The length of the label  field  is:  32  bits  -  (length  of  the
      prefix).  This part of the VPN-SPI is not used to find the correct
      SA during inbound processing, but  it  is  used  to  identify  the
      correct  outgoing  interface  or VRF after the IPsec processing in
      the egress PE (see later in this document).

   Note that every PE must take care not to assign SPI's for other IPsec
   contexts  (than the BGP/IPsec VPN context) that might be identical to
   the combination of any distributed VPN-SPI prefix  with  any  VPN-SPI
   label.

4.3.2 Outbound IPsec processing

   As described in [RFC2547bis], an IP packet  coming  from  a  customer
   site  will  be  handled  in  a  dedicated  VPN Routing and Forwarding
   instance in the considered PE. The choice of the VRF is based on  the
   packet's  incoming  sub-interface. In that VRF, a routing lookup will
   be done, based on the (private) destination address in  the  packet's
   IP  header.  As  a  result of that lookup, the information associated
   with a particular packet is: the next hop (PE) and the outgoing  sub-
   interface  to  send  the  packet to, and a specific SPI-label (with a
   certain length) to associate with that packet (assigned to that route
   by  the  next hop PE = BGP next hop). The mechanism by means of which
   the routes in the VRFs are associated with the correct SPI-labels  is
   explained  elsewhere  in this document (section 5.0). If the outgoing
   sub-interface is associated with a VRF, then the next  hop  is  a  CE
   device  attached  to the same PE. The packet is then directly sent to
   that outgoing interface (although a new  lookup  in  a  VRF  is  also
   possible).



De Clercq, et al.        Expires December 2000                 [Page 14]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   If the next hop PE is another PE, then the outgoing interface  is  an
   interface  to  the  backbone, and the packet must be IPsec processed.
   Within a PE, the VRF that handles  the  considered  packet,  together
   with  the  'next  hop  PE'  found after the lookup (the 'selectors'),
   uniquely identify a SA (= a  certain  security  association  for  the
   BGP/IPsec VPN context between this PE and the next hop-PE).

   The packet will now be processed according to that SA and the  packet
   will  be  sent  over  the  IPsec tunnel to the next hop PE, using the
   appropriate VPN-SPI (constructed using the SPI-label found after  the
   lookup  in  the  VRF  and  using  the  SPI-prefix associated with the
   considered SA) in the SPI-field of the security header of  the  IPsec
   packet.

4.3.3 Inbound IPsec processing

   When a PE receives an IPsec packet from the  core  network  that  has
   it's  own IP address in the destination IP address field of the outer
   IP header, the correct SA must be identified.  This SA is  identified
   by means of: the Destination IP address  (it's own IP address) in the
   outer IP header, the security protocol (AH or ESP), the SPI (in  fact
   only the prefix-part of the SPI is enough to identify a BGP/IPsec VPN
   SA), and eventually the Source IP address of the outer IP header.

   Once the correct  SA  is  identified,  the  packet  will  be  handled
   according   to   the  IPsec  inbound  processing  rules:  decryption,
   authentication, etc.  The result of this is a regular IP packet  with
   -eventually- private IP addresses in the IP header.

4.4 Use of the VPN-SPI after the inbound IPsec processing

   Now, instead of routing this IP packet according  to  the  global  IP
   Routing  table of the PE (which is not possible because of the use of
   private  addresses),  the  label-part  of  the  VPN-SPI   (that   the
   considered  PE  distributed  with the VPN addresses via BGP) found in
   the security header of the IPsec packet is used to direct the  packet
   immediately  to the correct customer-side interface or to the correct
   VRF for further processing in the right private address context.  The
   label-part of the VPN-SPI has the same role as the first label in the
   BGP/MPLS VPN model [RFC2547bis].

4.5 Achievement

   The introduction of the  VPN-SPI  does  not  affect  the  real  IPsec
   processing.  The SPI still identifies a SA. Also the IKE-mechanism is
   not changed radically: it is still two  peers  negotiating  SAs,  and
   assigning SPIs to them. The only difference is that some structure in
   these SPIs must be recognized.  By introducing this structure to  the



De Clercq, et al.        Expires December 2000                 [Page 15]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   SPI, and imposing the use of this structure on the participating PEs,
   two goals have been achieved:

   - IKE is able to negotiate about SPI-pools, so that multiple SPIs can
   point to the same SA.

   - the SPI (more precisely, a part of the SPI) can be used as a  label
   to  identify the correct VPN context to process certain packets in (a
   VRF), or the correct outgoing interface to send the packet to.

5.0 VPN Route Distribution via BGP

   The distribution over the backbone of the  (private)  routes  to  the
   different  sites  participating  in the BGP/IPsec VPN model, uses the
   same conceptual model as the  BGP/MPLS  VPN  model  [RFC2547bis]:  PE
   routers use BGP to distribute VPN routes to each other.

   We allow each VPN to have its own address space, which means  that  a
   given address may denote different physical systems in different VPNs
   (concept of 'private addresses'). If  two  routes,  to  the  same  IP
   address  prefix,  are actually routes leading to separate systems, we
   must make  sure  that  BGP  treats  them  as  two  different  routes.
   Otherwise  BGP  might  choose to install only one of them, making the
   other system unreachable. Further, we must make sure that  policy  is
   used  to determine which packets get sent on which routes. Given that
   several routes are installed by BGP, only one of them may appear in a
   particular VRF.

   These goals are met by the use of the VPN-IPv4 address family and  by
   the use of the Route Target attribute.

5.1 The VPN-IPv4 Address Family

   The BGP Multiprotocol extensions [BGP-MP] allow BGP to  carry  routes
   from  multiple "address families". [RFC2547] introduces the notion of
   "VPN-IPv4 address family". The model described in this document  uses
   the  same  address  family (but does not use the "labeled"-version of
   it). A VPN-IPv4 address is a 12-octet quantity, beginning with an  8-
   octet  "Route  Distinguisher"  (RD),  and  ending with a 4-octet IPv4
   address. If two VPNs use the same IPv4 address prefix for a different
   system,  the  PEs transform these into two different VPN-IPv4 address
   prefixes (using two different RDs).

   For the possible other uses of the RD and the structure and  encoding
   of the RD, we refer to [RFC2547bis].

5.2 Controlling Route Distribution




De Clercq, et al.        Expires December 2000                 [Page 16]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   In this section, we discuss the means by which  the  distribution  of
   the VPN-IPv4 routes is controlled.

5.2.1 The Route Target Attribute

   The BGP/MPLS VPN model [RFC2547bis] introduces the concept of  "Route
   Target"  attributes. These BGP attributes are encoded as BGP Extended
   Community Route Targets [BGP-EXTCOMM].

   Every VRF in a PE  is  associated  with  one  or  more  Route  Target
   attributes  (=  the  "import"  Route  Target  attributes). Every site
   attached to a PE is also associated with one  or  more  Route  Target
   attributes  (=  the  "export"  Route Target attributes). These Export
   Route Target attributes may be associated per route, per site or  per
   VRF  (thus  possibly associated with more than one site, as more than
   one site may be served by the same VRF). The two sets of Route Target
   attributes need not be identical, they are distinct.

   When a PE learns a customer-route from one of his attached  CEs,  the
   PE  creates  a  VPN-IPv4  route  to  distribute with BGP. The PE then
   associates one or more "Route Target" attributes with that route (the
   "export"  Route  Targets  associated with the considered site). These
   Route Targets are carried in BGP as attributes of the route.

   Any  route  associated  with  a  certain  Route  Target  T  must   be
   distributed  to  every PE router that has at least one VRF associated
   with Route Target T (an "import" Route Target of that VRF). When such
   a  route  (carrying  a  Route Target attribute T) is received by a PE
   router, it is eligible to be installed only in those  VRFs  that  are
   associated  with  an  "import"  Route  Target  T.  Whether  the route
   actually gets installed is  dependent  on  the  outcome  of  the  BGP
   decision process.

   A Route Target Attribute can be thought of as identifying  a  set  of
   sites  or  a set of VRFs. It is used to filter the appropriate routes
   into the correct VRFs.

   Several methods can be used to associate  routes  with  Route  Target
   attributes:  a  PE  can be configured to associate every route coming
   from a certain site with a set of Route Targets; or to associate some
   routes  with  one  set  of Route Targets and some routes with another
   set; or alternatively, the control could be shifted to the CE: the CE
   could  specify  every  route it advertises to the PE with one or more
   Route Targets.

5.2.2 The SPI-label Attribute

   Every PE must create SPI-labels that  uniquely  (within  its  own  PE



De Clercq, et al.        Expires December 2000                 [Page 17]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   context)  identify  how to handle (BGP/IPsec VPN)-packets coming from
   the core after IPsec processing (i.e. with a private  IPv4  address).
   These labels can identify an outgoing CE (sub-)interface or a VRF for
   further processing.

   When PEs distribute VPN-IPv4 routes to each other  in  the  BGP/IPsec
   VPN context, they MUST associate every route with a single "SPI-label
   Attribute". When a VPN-IPv4 route is inserted in certain VRFs in  the
   peer  PEs that received the BGP message, the according SPI-label MUST
   be associated with that route in the corresponding table.

   When after a Routing lookup in a VRF (for  a  packet  coming  from  a
   customer  interface) a match is found for the packet's destination IP
   address, the considered VRF and the next hop PE associated  with  the
   route  uniquely  indicate  the  appropriate SA (because they uniquely
   identify a BGP/IPsec VPN context and a destination PE); the SPI-label
   associated  with  the  route  in the routing table, together with the
   SPI-prefix associated with the considered SA, are used  to  construct
   the  appropriate  SPI  (see  section  4.3.2.1) to use in the security
   headers of the resulting IPsec packets.

   The BGP SPI-label Attribute has the following format:

      0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |O|T|P|E|  null | SPI-label type|     length    | length label  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      label + padding bits                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Optional-bit (O):

      This bit should be set to 0, because the  SPI-label  attribute  is
      well-known for VPN-IPv4 routes in the BGP/IPsec VPN model and MUST
      be associated with every distributed BGP/IPsec VPN route.

   Transitive-bit (T):

      This bit should be set to 1, as the SPI-label attribute  is  well-
      known.

   Partial-bit (P):

      This bit should be set to 0, as the SPI label attribute  is  well-
      known.

   Extended Length-bit (E):



De Clercq, et al.        Expires December 2000                 [Page 18]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


      This bit should be set to 0, as the length field is only one octet
      long.

   null-field:

      These bits are unused and must be set to zero  (and  ignored  upon
      receipt).

   SPI-label type:

      This field contains a one-octet number identifying  the  SPI-label
      Attribute.  This number should be assigned by IANA.

   length:

      This field contains the length of the  Attribute  data  (=  length
      label + label + padding bits) in octets.

   length label:

      This 1-octet field contains the length (in bits) of the  SPI-label
      that is included in the label + padding bits field. This length is
      dependent on the length of the SPI-prefixes that the PE has chosen
      (length label = 32 - length prefix)

   label + padding bits:

      This 4-octet field contains  the  SPI-label  associated  with  the
      considered  VPN-IPv4  route. The SPI-label is left-adjusted in the
      label + padding bits field. The remaining bits in this field  must
      be set to zero and must be ignored when received.

5.2.3 Route Distribution among PEs by BGP

   If two sites of a VPN attach to PEs that are in the  same  Autonomous
   System,  these  PEs  can  distribute VPN-IPv4 routes to each other by
   means of an IBGP connection between them.  The way it is done for PEs
   that  do  not belong to the same Autonomous System is explained later
   in this document (section 10).

   Like in the  model  described  in  [RFC2547bis],  the  use  of  route
   reflectors  [BGP-RR]  is  strongly  recommended in order to scale the
   number of BGP connections. The model described here  allows  for  the
   use of all the route reflector techniques to improve scalability.  As
   it is explained in [RFC2547bis], the set of VPN-IPv4  routes  may  be
   partitioned among a set of route reflectors.

   When a PE router distributes a VPN-IPv4 route via BGP,  it  uses  its



De Clercq, et al.        Expires December 2000                 [Page 19]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   own  address as the "BGP next hop".  As BGP must use only one kind of
   Address Family ([BGP-MP]), this address  is  encoded  as  a  VPN-IPv4
   address  with  a  RD of 0. In addition, the PE assigns an appropriate
   SPI-label Attribute (and a set of Route Target Attributes, see later)
   to  the  route  and  distributes  it.  This  SPI-label identifies the
   destination within the PE (a certain customer-interface or a  certain
   VRF)  of  the  packets  coming  from  the  backbone and following the
   considered route.

   When the PE processes a  packet  received  from  the  core,  it  goes
   through the following steps:

   - identify the correct SA  by  means  of  the  SPI,  the  destination
   address and the security protocol.

   - process the packet according to the IPsec process  defined  by  the
   SA.

   - (if the SPI is a VPN-SPI) use the label-part of the VPN-SPI in  the
   security header of the IPsec packet (more precisely compare it to the
   SPI-labels distributed via BGP in the SPI-label attribute) to  direct
   the  packet to the correct outgoing interface or to a certain VRF for
   further processing.

   The use of the BGP refresh  mechanism  [BGP-RFSH]  and  the  outbound
   route filtering mechanism [BGP-ORF] is strongly recommended to assure
   maximum scalability of the model.

   In the BGP-point of view, the model described in  this  document  has
   the  same  advantages  as  the  model described in [RFC2547bis]: a PE
   router should not install VPN-IPv4 routes belonging to VPNs it is not
   attached  to; a router which is not attached to any VPN (a P router),
   never installs any VPN-IPv4 routes at  all.   This  also  means  that
   there  is  no box that needs to know all the VPN-IPv4 routes that are
   supported over the backbone.

5.2.4 How VPN-IPv4 NLRI is Carried by BGP

   The BGP Multiprotocol Extensions [BGP-MP]  are  used  to  encode  the
   NLRI.  In the model proposed here, the concept of labeled IPv4-routes
   as it is introduced in [RFC2547bis] disappears.   This  requires  the
   assignment of a new SAFI value by IANA to identify UNlabeled VPN-IPv4
   addresses.  AFI  1  is  used,  because  the  network  layer  protocol
   associated with the NLRI is still IP.

   In order for two BGP peers to exchange unlabeled VPN-IPv4 NLRI,  they
   must  use  BGP  Capabilities Negotiation to ensure that they are both
   capable of processing such NLRI.  This is done as specified in  [BGP-



De Clercq, et al.        Expires December 2000                 [Page 20]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   MP], by using capability code 1 (multiprotocol BGP), with an AFI of 1
   and a SAFI TBD.

   The unlabeled VPN-IPv4 NLRI itself is encoded as specified  in  [BGP-
   MP]:  a  1-octet length field indicating the length of the prefix (96
   bits for VPN-IPv4 addresses), followed by a 12-octet VPN-IPv4 prefix.

5.2.5 Building VPNs using Route Targets

   By setting up the Import  Route  Targets  and  Export  Route  Targets
   properly, one can construct different kinds of VPNs.

   [RFC2547bis] gives two examples: a fully  meshed  closed  user  group
   (i.e.  a  set  of  sites  where each can send traffic directly to the
   other, but where no communication is possible with  other  non-member
   sites),  and  a  hub  and  spoke model (i.e. a communication topology
   where all the traffic between  sites  (the  "spoke  sites")  must  go
   through a central site (the "hub site").

   To form a fully meshed closed user group for example, a single  Route
   Target  is  needed.  That  Route  Target  is  assigned  to  the  VRFs
   associated with the participating sites, as both the Import  and  the
   Export Route Target.

   The method for controlling the distribution  of  routing  information
   among  various  sets  of sites are very flexible. This provides great
   flexibility in constructing VPNs.

6.0 Forwarding Across the Backbone

   As PE to PE IPsec tunnels  are  deployed  across  the  backbone,  the
   forwarding  in  the backbone is based on regular IP forwarding, using
   the destination addresses in the outer IP-headers.   These  outer  IP
   headers  contain  no  VPN  information. The addresses included in the
   outer IP headers are PE global IP addresses. This means that  no  VPN
   awareness  is  needed  in  the  backbone  at  all,  and  that all the
   forwarding relies on regular IP, so no  non-IP  tunneling  mechanisms
   are  needed  (such  as MPLS). The only requirement is that PE routers
   need to insert /32 address prefixes for themselves (the IPsec  tunnel
   endpoints) into the IGP routing tables of the backbone.


7.0 How PEs Learn Routes from CEs

   The PE routers which attach to a particular VPN  need  to  know,  for
   each  of  that  VPN's  sites, which addresses in that VPN are at each
   site.




De Clercq, et al.        Expires December 2000                 [Page 21]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   If the CE device is a switch or a host, the  set  of  addresses  will
   generally  be  configured  into  the  PE  router. If the CE is a user
   dialing in, it will usually receive a temporary IP address  from  the
   PE.  In  the  case  where  the  CE is a router, there are a number of
   possible ways that a PE router can obtain this set of addresses.

   The  PE  translates  these  private  IPv4  addresses  into   VPN-IPv4
   addresses,  using  a configured RD. The PE then treats these VPN-IPv4
   routes as input to BGP. Routes from a site are NOT  leaked  into  the
   backbone's IGP.

   We can imagine a lot of route distribution techniques from CE to  PE.
   However,  the distinction must be made between CEs in a "transit VPN"
   (= a VPN that contains a router that receives  routes  from  another,
   non-PE  router  that  is not in the VPN) and CEs in a "stub VPN" (= a
   VPN without "third party" routing exchanges).

   The possible PE/CE distribution techniques are: static routing,  RIP,
   OSPF, EBGP, etc.

   [RFC2547bis] gives a more detailed overview  of  the  possible  CE/PE
   route distribution scenario's.

   Once the  CE-routes  are  learned  by  the  PE,  it  distributes  the
   resulting  VPN-IPv4  routes via BGP. These routes are associated with
   the following attributes: an SPI-label attribute, one or  more  Route
   Target attributes and eventually a Site of Origin attribute.

   The Site of Origin attribute, if used, is encoded as a  Route  Origin
   Extended Community [BGP-EXTCOMM]. The purpose of this attribute is to
   uniquely identify the set of routes learned from a  particular  site.
   This attribute is needed in some cases to ensure that a route learned
   from a particular site via  a  particular  PE/CE  connection  is  not
   distributed back to the site through a different PE/CE connection.

8.0 How CEs Learn Routes from PEs

   In this section, it is assumed that the CE device is a router.

   If the PE places a particular route in  the  VRF  associated  with  a
   certain  site,  then  in general, the PE may distribute that route to
   the CE. Of course, the PE may distribute that route to the CE only if
   this  is  permitted  by  the  rules  of the PE/CE protocol. Note that
   whatever procedure is used to distribute routes from CE  to  PE  will
   also be used to distribute routes from PE to CE.

   One more restriction is added on the distribution of routes  from  PE
   to  CE: if a route's Site of Origin attribute identifies a particular



De Clercq, et al.        Expires December 2000                 [Page 22]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   site, that route must never be redistributed to any CE in that site.

   Note also that in most cases, it will be sufficient  for  the  PE  to
   simply distribute the default route to the CE.

9.0 Inter-Provider Backbones

   A usual requirement for VPNs is that VPNs must be able to span across
   multiple backbones. This allows sites that are connected to different
   SPs to 'be in the same VPN'. This  requirement  introduces  two  main
   issues:

   - the PE routers participating in the VPN topology are  not  able  to
   establish  IBGP  connections  with  each other or with a common route
   reflector

   - the security aspect becomes an important issue

   The latter issue is covered by the use of the PE-PE end to end  IPsec
   tunnels.  For  the  first  issue,  [RFC2547bis] discusses 3 different
   solutions.

   The first two solutions ('VRF-to-VRF connections  at  the  AS  border
   routers'  and 'EBGP redistribution of labeled VPN IPv4 routes from AS
   to neighboring AS') are not applicable in the model presented in this
   document, because this model requires PE-PE end-to-end IPsec tunnels.

   The  third  solution   is   perfectly   applicable:   multihop   EBGP
   redistribution   of   VPN-IPv4   routes   (associated   with  VPN-SPI
   attributes) between source and destination ASs. The participating PEs
   still  need to set up IPsec tunnels with each other (whether they are
   in the  same  AS  or  not)  via  IKE.  The  /32  routes  to  all  the
   participating  PEs must be known in all the participating ASs (PE and
   P routers) to allow for normal end-to-end IP forwarding.

   Now  PE  routers  in  different  ASs  can  establish  multi-hop  EBGP
   connections  to  each  other,  and  can exchange VPN-IPv4 routes over
   these connections.

   To improve scalability, one can have multi-hop EBGP connections  only
   between  a  route reflector in one AS and an other route reflector in
   an other AS. Care must then be taken that these route  reflectors  do
   not change the BGP next hop attribute of the routes).

10.0 Use of an MPLS backbone

   The model presented in this document does not in any way preclude the
   existence  of  an  MPLS core network. An MPLS network can carry IPsec



De Clercq, et al.        Expires December 2000                 [Page 23]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   packets as easily as it can carry IP packets. This means that  if  an
   MPLS  network  is present in the backbone of the ISP network, all the
   extra functionalities that MPLS  offers  (Traffic  Engineering,  QoS,
   etc.)   can  still  be  used  in  the  core  of  this  BGP/IPsec  VPN
   architecture.

11.0 Security

   The model described  in  this  document  offers  a  higher  level  of
   security than [RFC2547bis]. The IPsec security mechanisms protect the
   IP packets when traversing the backbone(s). This is an ingress PE  to
   egress  PE  end-to-end  IPsec protection. Especially in the case when
   non-participating ('transit') SPs are traversed, this is an important
   requirement.

   In addition, by introducing the VPN-SPI  concept  and  formats,  this
   architecture  in  itself  provides a security level that is virtually
   identical to a 'layer-2' mechanism in the scope of an individual  PE:
   the  PE  can decide to accept or reject an IP packet based on the SPI
   included in  the  security  header  of  the  IPsec  packet,  and  the
   directing  of  the  packets within the PE relies on the label-part of
   the VPN-SPI. If no misconfiguration occurs, the traffic from one  VPN
   is perfectly shielded from the traffic in another VPN within the same
   PE.

12.0 Scalability

   The model proposed in this  document  uses  IPsec  (tunnel  mode)  to
   tunnel   the  (private  address)  IPv4  packets  through  the  shared
   backbone(s). As the model requires  only  one  IPsec  tunnel  between
   every  two  PEs  (and not a full mesh between sites or between VRFs),
   the solution remains scalable for large topologies.

   All the scalability considerations that apply for  [RFC2547bis]  also
   apply for the model described in this document.

   P routers (which are neither PE routers nor Route Reflectors) do  not
   maintain  any VPN routes. They only need to maintain global IP routes
   to all the participating PEs.

   PE routers maintain VPN routes only for the VPNs  they  are  attached
   to.

   Route Reflectors can be partitioned among VPNs so that each partition
   carries only routes for a subset of the VPNs supported by the Service
   Provider.

   These remarks apply also for the inter-provider  VPNs,  if  multi-hop



De Clercq, et al.        Expires December 2000                 [Page 24]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   EBGP is used.

   As a result, no  single  component  within  the  SP  network  has  to
   maintain all the routes for all the VPNs. This means that the support
   of an increasing number of VPNs is not limited by the capacity of  an
   individual component.

13.0 References

   [RFC2119] Bradner, S.,  "Key  words  for  use  in  RFCs  to  Indicate
   Requirement Levels", RFC 2119, March 1997

   [RFC2547] Rosen, E. and Rekhter, Y., "BGP/MPLS VPN", RFC 2547,  March
   1999.

   [RFC2547bis] Rosen E., Rekhter Y., et al., "BGP/MPLS  VPN",  Work  in
   Progress.

   [RFC2401] Kent, S. and Atkinson R., "Security  Architecture  for  the
   Internet Protocol", RFC 2401, November 1998.

   [BGP-RR] Bates, T. and Chandrasekaran, R., "BGP Route Reflection:  An
   alternative to full mesh IBGP", RFC 1966, June 1996.

   [BGP-EXTCOMM]  Ramachandra,  S.  and  Tappan,   D.,   "BGP   Extended
   Communities Attribute", Work in Progress.

   [BGP-MP] Bates, T., et al., "Multiprotocol Extensions for BGP4",  RFC
   2283, February 1998.

   [BGP-RFSH] Chen, E., "Route Refresh Capability  for  BGP4",  Work  in
   Progress.

   [BGP-ORF] Chen, E. and  Rekhter,  Y.,  "Cooperative  Route  Filtering
   Capability for BGP-4", Work in Progress.


14.0 Acknowledgements

   The model presented in this document is  based  on  a  lot  of  ideas
   presented  in  [RFC2547bis].  We would like therefor to thank all the
   authors of "BGP/MPLS VPN" for their work that has been the basis  for
   the ideas presented in this document.

15.0 Authors' Addresses

   Jeremy De Clercq
   Alcatel



De Clercq, et al.        Expires December 2000                 [Page 25]

Internet Draft      draft-declercq-bgp-ipsec-vpn-00             May 2000


   Francis Wellesplein 1
   2018 Antwerpen, Belgium
   Phone: +32 3 240 4752
   Email: jeremy.de_clercq@alcatel.be

   Peter De Schrijver
   Alcatel
   Francis Wellesplein 1
   2018 Antwerpen, Belgium
   Phone : +32 3 240 8569
   Email : peter.de_schrijver@alcatel.be

   Yves T'joens
   Alcatel
   Francis Wellesplein 1
   2018 Antwerpen, Belgium
   Phone : +32 3 240 7890
   Email : yves.tjoens@alcatel.be

































De Clercq, et al.        Expires December 2000                 [Page 26]