Internet Draft Internet Engineering Task Force Bryan Gleeson, Arthur Lin INTERNET DRAFT Shasta Networks, Inc. Expires March 1999 Juha Heinanen Telia Finland, Inc. Grenville Armitage Bell Labs, Lucent Technologies A Framework for IP Based Virtual Private Networks <draft-gleeson-vpn-framework-00.txt> 1. Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). 2.0 Abstract This document describes a framework for virtual private networks (VPN) running across IP backbones. It discusses the various different types of VPNs, their respective requirements, and proposes specific mechanisms that could be used to implement each type of VPN using existing or proposed specifications. The objective of this Draft is to serve as a framework for related protocol development in order to develop the full set of specifications required for widespread deployment of interoperable VPN solutions. 3.0 Introduction There is currently significant interest in the deployment of virtual private networks (VPN), across IP backbone facilities. The Gleeson et al. [Page 1] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 widespread deployment of VPNs has been hampered, however, by the lack of interoperable implementations, which, in turn, derive from the lack of general agreement on the definition and scope of VPNs and confusion over the wide variety of solutions that are all described by the term VPN. In the context of this Draft, a VPN is simply defined as the 'emulation of a private wide area network (WAN) facility using IP facilities' (including the public Internet, or private IP backbones). As such, there are as many types of VPNs as there are types of WANs, hence the confusion over what exactly constitutes a VPN. This framework Draft proposes a taxonomy of a specific set of VPN types, showing the specific applications of each, their specific requirements, and the specific types of mechanisms that may be most appropriate for their implementation. The intent of this Draft is to serve as a framework to guide a coherent discussion of the specific modifications that may be needed to existing IP mechanisms in order to develop a full range of interoperable VPN solutions. The Draft first discusses the likely expectations customers have of any type of VPN, and the implications of these for the ways in which VPNs can be implemented. It also discusses the distinctions between Customer Premises Equipment (CPE) based solutions, and network based solutions. Thereafter it presents a taxonomy of the various VPN types and their respective requirements. It also outlines suggested approaches to their implementation, hence also pointing to areas for future standardization. Note also that this Draft only discusses implementations of VPNs across IP backbones, be they private IP networks, or the public Internet. It specifically does not discuss means of constructing VPNs using native mappings onto switched backbones - e.g. VPNs constructed using, for instance, the LAN Emulation over ATM (LANE) [ATMF1] or Multiprotocol over ATM (MPOA) [ATMF2] protocols operating over ATM backbones. IP backbones may be constructed using such native protocols, interconnecting routers across the switched backbone. IP VPNs would then operate on top of this IP network, and hence would not directly utilize the native mechanisms of the underlying backbone. Native VPNs would be restricted to the scope of the underlying backbone, whereas IP based VPNs can extend to the extent of IP reachability. Native VPN protocols are clearly outside the scope of the IETF, and may be tackled by such bodies as the ATM Forum. 4.0 VPN Application and Implementation Requirements There is growing interest in the use of IP VPNs as a more cost effective means of building and deploying private communication Gleeson et al. [Page 2] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 networks for multi-site communication than with existing approaches. Existing private networks can be generally categorized into two types - dedicated WANs that permanently connect together multiple sites, and dial networks, that allow on-demand connections through the PSTN network to one or more sites in the private network. WANs are typically implemented using leased lines or dedicated circuits - for instance, Frame Relay or ATM connections - between the multiple sites. CPE routers or switches at the various sites connect these dedicated facilities together and allow for connectivity across the network. Given the cost and complexity of such dedicated facilities and the complexity of CPE device configuration, such networks are generally not fully meshed, but have a complex mix of tree and mesh topologies with remote offices, for instance, star wired to the nearest central site, with the latter then connected together in some form of full or partial mesh. Private dial networks are used to allow remote users to connect into an enterprise network using PSTN or ISDN links. Typically, this is done through the deployment of network access servers (NAS) at one or more central sites. Users dial into such NAS, which interact with AAAA ('Authentication, Authorization, Accounting and Administration') servers to verify the identity of the user, and the set of services that the user is authorized to receive. In recent times, as more businesses have found the need for high speed Internet connections, in addition to previous private networks, there has been significant interest in the deployment of CPE based VPNs running across the Internet. This has been driven typically by the ubiquity and distance insensitive pricing of current Internet services, that can result in significantly lower costs than typical dedicated or leased line services. The notion of using the Internet for private communications is not new, and many techniques, such as controlled route leaking, have been used for this purpose [Ferguson]. Only in recent times, however, have the appropriate IP mechanisms needed to meet customer requirements for VPNs all come together. These requirements include the following: A. Support for Opaque Packet Transport: The traffic carried within a VPN may have no relation to the traffic on the IP backbone, either because the traffic is multiprotocol, or because the customer's IP network may use IP addressing unrelated to that of the IP backbone on which the traffic is transported. In particular, the latter may also be non-unique, private IP addressing [Rekhter1]. Gleeson et al. [Page 3] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 B. Support for Data Security: In general, customers using VPNs require some form of data security, given the general perceptions of the lack of security of IP networks, and particularly that of the Internet. Whether or not this perception is correct, it is one that must be addressed by any VPN implementation. Note that some security concerns - e.g. snooping - may be alleviated in cases where all of the VPN traffic stays within a single service provider's closed IP backbone; on the other hand, this alone may not address other concerns such as packet misdirection, data integrity or ability of third parties to insert unauthorized packets. Most recent VPN implementations are converging on the use of standard IPSec facilities [Kent] for this purpose. C. Support for Quality of Service Guarantees: In addition to ensuring communication privacy, existing private networking techniques, building upon physical or link layer mechanisms, also offer various types of quality of service guarantees. In particular, leased and dial up lines offer both bandwidth and latency guarantees, while dedicated connection technologies like ATM and Frame Relay have extensive mechanisms for similar guarantees. As IP based VPNs become more widely deployed, there will be market demand for similar guarantees, in order to ensure end to end application transparency. While the ability of IP based VPNs to offer such guarantees will depend greatly upon the commensurate capabilities of the underlying IP backbones, a VPN framework must also address the means by which VPN systems can utilize such capabilities, as they evolve. Together, the first two of these requirements imply that VPNs must be implemented through some form of IP tunneling mechanism, where the packet formats and/or the addressing used within the VPN can be unrelated to that used to route the tunneled packets across the IP backbone. Such tunnels, depending upon their form, can provide some level of intrinsic data security, or this can also be enhanced using other mechanisms (e.g. IPSec). Furthermore, as discussed later, such tunneling mechanisms can also be mapped into evolving IP traffic management mechanisms. There are already defined a large number of IP tunneling mechanisms. Some of these are well suited to VPN applications, as discussed further below. Gleeson et al. [Page 4] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 4.1 CPE and Network Based VPNs Most current VPN implementations are based on CPE equipment. VPN capabilities are being integrated into a wide variety of CPE devices, ranging from Firewalls, to WAN edge routers and specialized VPN termination devices. Such equipment may be bought and deployed by customers, or may be deployed (and often remotely managed) by service providers in an outsourcing service. There is also significant interest in 'network based VPNs', where the operation of the VPN is outsourced to an Internet service provider (ISP), and is implemented on network as opposed to CPE equipment. There is significant interest in such solutions both by customers seeking to reduce support costs and by ISPs seeking new revenue sources. Supporting VPNs in the network allows the use of particular mechanisms which may lead to highly efficient and cost effective VPN solutions, with common equipment and operations support amortized across large numbers of customers. Most of the mechanisms discussed below can apply to either CPE based or network based VPNs. However particular mechanisms are likely to prove applicable only to the latter, since they leverage tools (e.g. piggybacking on routing protocols) which are accessible only to ISPs and which are unlikely to be made available to any customer, or even hosted on ISP owned and operated CPE, due to the problems of coordinating joint management of the CPE gear by both the ISP and the customer. The Draft will indicate which techniques are likely to apply only to network based VPNs. 5.0 VPN Types: 'Virtual Leased Lines' The simplest form of a VPN is a 'virtual leased line' (VLL) service. In this case, the two VPN endpoints are connected by an IP tunnel which seeks to emulate a physical leased line or dedicated connection. The IP tunnel operates as an overlay across the IP backbone, and the traffic sent through the tunnel is opaque to the underlying IP backbone. In effect the IP backbone is being used as a link layer technology, and the IP tunnel forms a point-to-point link. A device may terminate multiple such VLLs and route or bridge between them, but the manner in which the the VLLs are connected, i.e. at layer 3 or layer 2, is independent of the operation of the VLL itself. For example at layer 3 the VLL can be bound to an IP forwarding table, which views it as just another point-to-point IP interface. A simple example of forwarding at layer 2 is the operation of relaying frames between an ATM VCC and a VLL, in effect forming a point-to-point link. VLLs can also be used to interconnect bridging devices. Gleeson et al. [Page 5] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 More generally, a VLL can also be considered to be the building block of more complex VPN types and topologies. Specifically, as will be discussed in following sections, there are also VPN types in which the forwarding operation, be it at the link layer or the network layer, is also part of the operation of the VPN. In this case, the tunnels connecting each of the VPN nodes can be constructed using VLL tunneling mechanisms, since these have the same requirements. The following section, therefore, looks at the requirements of a generic IP tunneling protocol that can be used both for simple VLL applications, and also for more complex types of VPNs. 5.1 Tunneling Protocol Requirements for VLLs There are numerous IP tunneling mechanisms, including IP/IP [Simpson], GRE tunnels [Hanks], L2TP [Valencia1], MPLS [Callon] and IPSec [Kent]. Note that while some of these protocols are not often thought of as tunneling protocols, they do each allow for opaque transport of frames as packet payload, with forwarding disjoint from the address fields of the encapsulated packets. As such, any of these could be applied to the operation of a VLL, albeit with some modifications, as discussed below. Note, however, that there is one significant distinction between each of the IP tunneling protocols mentioned above, and MPLS. MPLS can be viewed as a specific link layer for IP, insofar as MPLS specific mechanisms apply only within the scope of an MPLS network, whereas IP based mechanisms extend to the extent of IP reachability. As such, VPN mechanisms built directly upon MPLS tunneling mechanisms (e.g. as described in [Heinanen1] or [Jamieson]) cannot, by definition, extend outside the scope of MPLS networks, any more so than, for instance, ATM based mechanisms such as LANE can extend outside of ATM networks. Note however, that an MPLS network can span many different link layer technologies, and so, like an IP network, its scope is not limited by the specific link layers used. Parallel work on defining a set of mechanisms to allow for interoperable VPNs specifically over MPLS networks is also underway, as addressed in [Heinanen2] and [Jamieson], and as will be discussed later. There are a number of desirable requirements for a VLL tunneling mechanism, however, that are not all met by the existing tunneling mechanisms. These include: Gleeson et al. [Page 6] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 5.1.1 Support for VLL Multiplexing: There are cases where multiple VLLs may be needed between the same two IP endpoints. This may be needed, for instance, in cases where the VLLs are network based, and each end point supports multiple customers. Traffic for different customers travels over separate VLLs between the same two physical devices. A multiplexing field is needed to distinguish which packets belong to which VLL. Sharing a tunnel in this manner may also reduce the latency and processing burden of tunnel set up. Of the existing IP tunneling mechanisms, L2TP (via the tunnel-id and call-id fields), MPLS (via the label) and IPSec (via the SPI field) have a multiplexing mechanism. Strictly speaking GRE does not have a multiplexing field. However the key field, which was intended to be used for authenticating the source of a packet, has sometimes been used as a multiplexing field. IP/IP does not have a multiplexing field. 5.1.2 Support for a Signalling Protocol For a VLL there is some configuration information that must be known by an end point in advance of tunnel establishment, such as the IP address of the remote end point, and any relevant tunnel attributes required (such as the level of security needed). Following this configuration the actual tunnel establishment can be completed in one of two ways - via a management operation, or via a signalling protocol that allows tunnels to be established dynamically. An example of a management operation would be to use an SNMP MIB to configure various tunneling parameters, e.g. MPLS labels, source addresses to use for IP/IP or GRE tunnels, L2TP tunnel-ids and call- ids, or security association parameters for IPSec. Using a signalling protocol can significantly reduce the management burden however and should be a requirement for any standard VLL tunneling mechanism. It reduces the amount of configuration needed, and reduces the management co-ordination needed if a VPN spans multiple administrative domains. For example, the value of the multiplexing field, described above, is local to the node assigning the value, and can be kept local if distributed via a signalling protocol, rather than being first configured into a management station and then distributed to the relevant nodes. A signalling protocol also allows nodes that are mobile or are only intermittently connected to establish tunnels on demand. Signalling is particularly useful for the VPRN scenario described later (section 6.0). A signalling protocol should allow for the transport of a VPN identifier (see 6.1.1) to allow the resulting tunnel to be associated with a particular VLL. It should also allow tunnel attributes to be Gleeson et al. [Page 7] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 exchanged or negotiated, for example the use of frame sequencing or the use of multiprotocol transport. Note that the role of the signalling protocol is solely to negotiate tunnel attributes, not to carry information about how the tunnel is used, for example whether the frames carried in the tunnel are to be forwarded at layer 2 or layer 3. (This is similar to Q.2931 ATM signalling - the same signalling protocol is used to set up Classical IP LISs as well as LANE ELANs). Of the various tunneling protocols, the following ones support a signaling protocol that could possibly be adapted for this purpose: MPLS (the various mechanisms for label distribution, including the label distribution protocol (LDP) [Thomas]), L2TP (the L2TP control channel) and IPSec (the Internet Key Exchange (IKE) protocol [Harkins]), and GRE (as used with mobile-ip tunneling [Calhoun3]). 5.1.3 Support for Data Security: A VLL tunneling mechanism must support mechanisms to allow for whatever level of security may be desired by customers, including authentication and/or encryption of various strengths. None of the tunneling mechanisms discussed, other than IPSec, have intrinsic security mechanisms, but rely upon the security characteristics of the underlying IP backbone. In particular, MPLS relies upon the explicit labeling of label switched paths (LSP) to ensure that packets cannot be misdirected, while the other tunneling mechanisms can all be secured through the use of IPSec. If some form of signalling mechanism is used by one VLL end point to dynamically establish a tunnel with another endpoint, then there is a requirement to be able to authenticate the party attempting the tunnel establishment. IPsec has an array of schemes for this purpose, allowing, for example, authentication to be based on pre-shared keys, or public/private key pairs with certificates. Other tunneling schemes have weaker forms of authentication. In some cases no authentication may be needed, for example if the tunnels are provisioned, rather than dynamically established, or if the trust model in use does not require it. 5.1.4 Support for Multiprotocol Transport In many applications of VLLs, the VLL may carry opaque, multiprotocol traffic. As such, the tunneling protocol must also support multiprotocol transport. The only tunneling mechanism which will preclude such transport is IP/IP. L2TP is designed to transport PPP packets, and thus can be used to carry multiprotocol traffic since PPP itself is multiprotocol. IPSec has been designed to transport IP packets, but may be readily generalized to carry multiprotocol Gleeson et al. [Page 8] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 traffic. The signalling component of IPSec (IKE) could be extended to indicate the type of traffic carried over the IP tunnel or the type of packet multiplexing header used (e.g. LLC/SNAP, GRE), if the traffic is not IP. 5.1.5 Support for Frame Sequencing: One quality of service attribute required by customers of a VLL, may be frame sequencing, matching the equivalent characteristic of physical leased lines or dedicated connections. Sequencing may be required for the efficient operation of particular end to end protocols or applications. In order to implement frame sequencing, a VLL tunneling mechanism should have the option of a sequencing field. At present, only the L2TP specification has such a field. IPSEC has a sequence number field, but it is used by a receiver to perform an anti-replay check, not to guarantee in-order delivery of packets. 5.1.6 Support for Tunnel Maintenance: The VLL end points must monitor the operation of the VLL tunnels to ensure that connectivity has not been lost. Note that this does not necessarily require inband verification, since IP backbone connectivity with the VLL end point is sufficient assurance, due to the fact the tunnel also runs across the same backbone. L2TP has an optional in-band keep-alive mechanism to detect non-operational tunnels. Other tunneling mechanisms will likely require some out of band mechanism to determine connectivity - for instance, regular ICMP pings. Note also that tunnel inactivity should be differentiated from tunnel deletion. A distinction needs to be made between the creation and deletion of a VLL tunnel, and the establishment and termination of a tunnel instance. The creation of a VLL tunnel is a configuration operation, whereby the information needed to dynamically establish a tunnel (e.g. the remote IP end point) is installed. Similarly the deletion of such a VLL tunnel is a configuration operation that removes this information. The establishment of a tunnel instance occurs as a result of a signalling exchange, with parameters being transferred (e.g. the value of the multiplexing field) and any needed resources being put in place. This may occur immediately the VLL tunnel is created, or a data-driven approach could be used, whereby the tunnel instance is only established when there is some data to be transferred. Also the tunnel instance could be maintained until VLL tunnel deletion, whether or not it was being used, or it could be terminated due to an idle timeout, and re-established whenever there was subsequently data ready for transfer. The latter approach may be useful if resources are being allocated for traffic management purposes, to avoid dedicating resources for inactive tunnel Gleeson et al. [Page 9] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 instances. 5.1.7 Support for Large MTUs Since the traffic sent through a VLL may often be opaque to the underlying IP backbone, it cannot also generally be assumed that the maximum transfer unit (MTU) of the VLL itself, is less than or equal to that of the MTU of the particular route of the VLL across the IP backbone. As such, the VLL tunneling mechanism may need mechanisms to allow for frame fragmentation, either within the tunnel, or at the IP level. If the frame to be transferred is mapped into one IP datagram, normal IP fragmentation mechanisms can be used. There may also be value in defining fragmentation techniques that operate at the tunnel level (using the tunnel sequence number and an end-of-message marker of some sort) in order to avoid IP level fragmentation. This subject is for further study. 5.1.8 Minimization of Tunnel Overhead There is clearly benefit in minimizing the overhead of VLL tunneling mechanisms. This is particularly important for the transport of small, jitter and latency sensitive traffic such as packetized voice and video. On the other hand, the use of security mechanisms, such as IPSec, do impose their own overhead, hence the objective should be to minimize overhead over and above that needed for security, and to not burden those VLLs in which security is not mandatory with unnecessary overhead. 5.1.9 Flow and congestion control issues Of the existing tunneling schemes only L2TP has procedures for flow and congestion control. These were necessitated in part due to the need to provide adequate performance over lossy networks when PPP compression (which, unlike the IP Payload Compression Protocol (IPComp) [Shacham], is stateful across packets) is being used, and to accommodate devices with very little buffering. The flow and congestion control mechanisms used with L2TP are largely specific to the use of PPP and devices that terminate low speed dial-up lines. More analysis is needed to see if any flow and congestion control mechanisms should be incorporated into a generic IP tunneling protocol. For TCP traffic, the end-to-end flow and congestion control provided by TCP itself will generally suffice. Good flow and congestion control schemes, that can adapt to a wide variety of network conditions and deployment scenarios are complex to develop and test, both in themselves and in understanding the interaction Gleeson et al. [Page 10] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 with other schemes (e.g. TCP's) that may be running in parallel. There may be some benefit, however, in having the capability whereby a sender can shape traffic to the capacity of a receiver in some manner, and in providing the protocol mechanisms to allow a receiver to signal its capabilities to a sender. This area is for further study. 5.1.10 Traffic Management issues As noted above, customers may require that VLLs yield similar behavior to physical leased lines or dedicated connections with respect to such traffic management parameters as loss rates and latency and bandwidth guarantees. How such guarantees could be delivered will, in general, be a function of the traffic management characteristics of the VPN termination devices, and the access and backbone networks across which they are connected. However, it is likely that the most general solution would be to model a VLL as a logical link which extends across the backbone between two terminating devices. As such, all of the capabilities currently being developed and deployed for traffic management, including link sharing, differentiated services [Bernet] and fair scheduling could also be applied to the VLL. The specific capabilities that may be needed from VLL tunneling mechanisms to support such requirements is for further study. It will be noted, however, that this proposed model of tunnel operation may not wholly consistent with the way in which specific tunneling protocols are currently modeled. In particular, it is unclear whether an IPSec tunnel is considered in the current IPSec architecture to be an interface, per se, or an attribute of a particular packet flow. 5.2 Specification Recommendations There is a need for a standard VLL tunneling mechanism, that addresses each of the requirements discussed above. Given the necessity for strong encryption and strong authentication capabilities it would appear that a modification of IKE/IPSec may well be the optimal choice, particularly for non-MPLS based networks, since in addition to addressing the need for secure tunnels, it already has well defined signaling and multiplexing capabilities which can be readily amended for the specific needs of VLLs. To minimize overhead, including the overhead of configuration, control state, and processing cycles, as well as extra header fields added to a data packet, it also seems advantageous to converge on the use of a single signalling protocol and associated data encapsulation, rather Gleeson et al. [Page 11] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 than use multiple protocols in parallel (e.g. IKE/IPSec and L2TP). However the use of IPSec as a VPN tunneling mechanism may require amendments to the envisaged model of IPSec usage implicit in the current IPSec architecture. A future draft will discuss these amendments in greater detail. Note that parallel work is also underway in the MPLS WG on MPLS-based tunneling mechanisms as discussed in [Heinanen2]. 6.0 VPN Types: Virtual Private Routed Networks A virtual private routed network (VPRN) is defined to be the emulation of a multi-site wide area routed network using IP facilities. This section looks at how a network-based VPRN service can be provided. CPE-based VPRNs are also possible, but are not specifically discussed here. With network-based VPRNs many of the issues that need to be addressed are concerned with configuration and operational issues, which must take into account the split in administrative responsibility between the service provider (ISP) and the service user (customer). A VPRN consists of a mesh of IP tunnels between ISP routers, together with the routing capabilities needed to forward traffic received at each VPRN site to the appropriate destination site. Attached to these ISP routers are CPE routers connected via one or more links, termed 'stub' links. This is illustrated in the following diagram, which shows 3 ISP edge routers connected via a full mesh of IP tunnels, used to interconnect 4 CPE routers. One of the CPE routers is multihomed to the ISP network. In the multihomed case, all stub links may be active, or, as shown, there may be one primary and one or more backup links to be used in case of failure of the primary. The term 'backdoor' link is used to refer to a link between two customer sites that does not traverse the ISP network. Gleeson et al. [Page 12] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 +--------+ +--------+ +---+ | ISP | | ISP | +---+ |CPE|-------| edge |-----------------------| edge |------|CPE| +---+ | router | IP tunnel | router | +---+ stub +--------+ +--------+ stub : link | | | link : | | | : | | IP BACKBONE | : | | | : | |IP tunnel IP tunnel| : | | +--------+ | : | | | ISP | | : | +-----------| edge |-----------+ : | | router | : backup| +--------+ backdoor: link | | | link : | stub link | | stub link : | | | : | +---+ +---+ : +-------------|CPE| |CPE|......................: +---+ +---+ The principal benefit of a VPRN is that the configuration of the CPE router is simplified. To a CPE router, the ISP edge router appears as a neighbour router in the customer's network, to which it sends all traffic for non-local VPRN destinations. The tunnel mesh that is set up to transfer traffic extends between the ISP edge routers, not the CPE routers. In effect the burden of tunnel establishment and maintenance and routing configuration is outsourced to the ISP. This is in contrast to the scenario where the tunnel mesh extends to the CPE routers. In this case the ISP network provides layer 2 connectivity alone. This can be implemented either as a set of VLLs between CPE routers, in which case the ISP network provides a set of layer 2 point-to-point links, or as a Virtual Private LAN Segment (VPLS) (see section 8.0), in which case the ISP network is used to emulate a multiaccess LAN segment. With these scenarios a customer may have more flexibility (e.g. any IGP or any protocol can be run across all customer sites) but this usually comes at the expense of a more complex configuration for the customer. Thus, depending on customer requirements, a VPRN or a VPLS may be the more appropriate solution. Because a VPRN carries out forwarding at the network layer, a single VPRN only directly supports a single network layer protocol. For multiprotocol support, a separate VPRN for each network layer Gleeson et al. [Page 13] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 protocol could be used, or one protocol could be tunneled over another (e.g. non-IP protocols tunneled over an IP VPRN) or alternatively the ISP network could be used to provide layer 2 connectivity only, such as with a VPLS as mentioned above. The issues to be addressed for VPRNs include initial configuration, determination of the set of routers that have members in a VPRN, determination by an ISP edge router of the set of IP address prefixes reachable via each stub link, determination by a CPE router of the set of IP address prefixes to be forwarded to an ISP edge router, the mechanism used to disseminate stub reachability information to the correct set of ISP routers, and the establishment and use of the tunnels used to carry the data traffic. Note also that, although discussed first for VPRNs, many of these issues also apply to the VPLS scenario described later, with the network layer addresses being replaced by link layer addresses. Note that VPRN operation is decoupled from the mechanisms used by the customer sites to access the Internet. A typical scenario would be for the ISP edge router to be used for both VPRN and Internet connectivity. In this case the CPE router would have a default route pointing to the ISP edge router. However a customer site could have Internet connectivity via an ISP router not involved in the VPRN, or even via a different ISP. In this case, for VPRN traffic, the CPE router would have a route (or set of routes) for all non-local VPRN destinations, pointing to the ISP edge router. This is termed a 'VPRN default route', and is used where necessary in contrast to 'default route' which refers to all non-local destinations (including both non-local VPRN destinations and external Internet destinations). VPRN requirements and mechanisms have been discussed previously in [Heinanen2], with a particular focus in that Draft showing how the same VPRN functionality can be implemented over both MPLS and non- MPLS networks. A. Topology The topology of a VPRN may consist of a full mesh of tunnels between each VPRN site, or may be an arbitrary topology, such as a set of remote offices connected to the nearest central site, with these central sites connected together via a full or partial mesh. With VPRNs there is much less cost assumed with full meshing than in cases where physical resources (e.g. Frame Relay DLCI or a leased line) must be allocated for each connected pair of sites. This yields optimal routing, since it precludes the need for traffic between two sites to traverse through a third. One attraction of a full mesh topology is that there is no need to configure topology information for the VPRN. Instead, given the member routers of a VPRN, the Gleeson et al. [Page 14] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 topology is implicit. If the number of ISP edge routers in a VPRN is very large, however, a full mesh topology may not be appropriate, due to the scaling issues involved, for example, the growth in the number of tunnels needed between sites, (which for n sites is n(n-1)/2), or the number of routing peers per router. Network policy may also lead to non full mesh topologies, for example an administrator may wish to set up the topology so that traffic between two remote sites passes through a central site, rather than go directly between the remote sites. It is also necessary to deal with the scenario where there is only partial connectivity across the IP backbone under certain error conditions (e.g. A can reach B, and B can reach C, but A cannot reach C directly), which can occur if policy routing is being used. For a network-based VPRN, it is assumed that each customer site CPE router connects to an ISP edge router through one or more dedicated point-to-point stub links (e.g. leased lines, ATM or Frame Relay connections). The ISP routers are responsible for learning and disseminating reachability information amongst themselves. The CPE routers must learn the set of destinations reachable via each stub link, though this may be as simple as a default route. B. Addressing The addressing used within a VPRN may have no relation to the addressing used on the IP backbone over which the VPRN is instantiated. In particular non-unique private IP addressing may be used [Rekhter1]. Multiple VPRNs may be instantiated over the same set of physical devices, and they may use the same or overlapping address spaces. C. Forwarding For a VPRN the tunnel mesh forms an overlay network operating over an IP backbone. Within each of the ISP edge routers there must be VPN specific forwarding mechanisms to forward packets received from stub links ('ingress traffic') to the appropriate next hop router, and to forward packets received from the core ('egress traffic') to the appropriate stub link. For cases where a ISP edge router supports multiple stub links belonging to the same VPRN, the tunnels can, as a local matter, either terminate on the edge router, or on a stub link. In the former case a VPN specific forwarding table is needed for egress traffic, in the latter case it is not. A VPN specific forwarding table is generally needed in the ingress direction, in order to direct traffic received on a stub link onto the correct IP tunnel towards the core. Also since a VPRN operates at the internetwork layer, the IP packets send over a tunnel will have their TTL field decremented in the Gleeson et al. [Page 15] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 normal manner, preventing packets circulating indefinitely in the event of a routing loop within the VPRN. D. Multiple concurrent VPRN connectivity Note also that a single customer site may belong concurrently to multiple VPRNs and may want to transmit traffic both onto one or more VPRNs and to the default Internet, over the same stub link. There are a number of possible approaches to this problem, but these are outside the scope of the current Draft. 6.1 VPRN Generic Requirements There are a number of common requirements which any network-based VPRN solution must address, and there are a number of different mechanisms that can be used to meet these requirements. These generic issues are - The use of a globally unique VPN identifier in order to be able to refer to a particular VPN. - VPRN membership determination. An edge router must learn of the other routers that have members in that VPRN. - Stub link reachability information. An edge router must learn the set of addresses and address prefixes reachable via each stub link. - Intra-VPRN reachability information. Once an edge router has determined the set of address prefixes associated with each of its stub links, then this information must be disseminated to each other edge router in the VPRN. - Tunneling mechanism. An edge router must construct the necessary tunnels to other routers that have members in the VPRN, and must perform the encapsulation and decapsulation necessary to send and receive packets over the tunnels. 6.1.1 VPN Identifier Network-based VPRNs may potentially span multiple autonomous systems (ASs) and multiple management domains. This implies the need for a VPN identifier than can be unique across multiple ASs. To that end, [Heinanen1] proposed a globally unique VPN identifier (note that such an identifier may be useful for VPN types other than VPRNs) made up of the concatenation of an AS number, and a label assigned by the AS administrator which is locally unique within the particular AS. This is one solution to the need for a globally unique VPN identifier used Gleeson et al. [Page 16] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 across public networks. Specifically a VPN ID could be coded as a four octet BGP Communities Attribute [Chandra], made up of a two octet AS number and a 2 octet, unstructured integer VPN number, to allow for sufficient numbers of VPNs per AS. Note that where a VPN crosses multiple ASs, then there must be some administrative mechanisms to coordinate VPN ID assignment e.g. through the notion of a 'home AS' for a particular VPN, which is used in the VPN ID of that VPN. A VPN ID coded as proposed could also be easily piggybacked in BGP, and could also be easily specified within BGP policy filters in AS border routers for scoping and administrative purposes. In other environments where VPRN functionality is required, but where using an AS number is not convenient (because the VPRN functionality is being provided on private IP backbone facilities, for example), an Organizationally Unique Identifier (OUI), could be used instead of an AS number. This is a 3 octet number, assigned by the IEEE. With the addition of a locally assigned 2 octet VPN number this would form a 5 octet VPN identifier. Note that the intent of the VPN ID is that it be used in configuration and control messages in order to refer to a particular VPN. There is a also a need to be able to associate a data packet received on a tunnel with a particular VPN, however the VPN ID is not intended to be used for this purpose, since including an extra 4 or 5 byte quantity with every data packet transmitted is neither efficient or necessary. Instead a tunnel specific multiplexing field is used for that purpose. For example an IPSec tunnel uses the SPI field, an L2TP tunnel uses the call-id field, and an MPLS tunnel uses the MPLS label. There is a need for a standard VPN identifier. This could use the OUI format described above, or could be a hybrid which allows both an AS or an OUI to be used, or perhaps some other method. The ATM Forum also have a similar problem to solve, and ideally a single mechanism should be used for both cases. For the remainder of this draft it is assumed that such a globally unique VPN identifier exists. 6.1.2. VPN Membership Information Configuration and Dissemination In order to establish a VPRN, or to insert new customer sites into an established VPRN, the stub links on each edge router from those sites in the particular VPRN must first be configured with the identity of the particular VPRN to which the stub links belong. Note that this first step of stub link configuration is unavoidable, since clearly the edge router cannot infer such bindings and hence must be Gleeson et al. [Page 17] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 configured with this information. A management information base (MIB) allowing for bindings between local stub links and VPN identities is one solution. Thereafter, each edge router must learn either the identity of, or, at least, the route to, each other edge router supporting other stub links in that particular VPRN. Implicit in the latter is the notion that there exists some mechanism by which the configured edge routers can then use this edge router and/or stub link identity information to subsequently set up the appropriate tunnels between them; this is discussed further below. In order to configure each stub link with the identity of the VPN to which it belongs, a VPN identifier is required (see 6.1.1); the scope of uniqueness of this identifier is a function of its usage, which is related to how VPRN membership is disseminated. This problem, of VPRN member dissemination between participating edge routers, can be solved in a variety of ways, discussed below. A. Directory Lookup: The members of a particular VPRN, that is, at a minimum, the identity of the edge routers supporting stub links in the VPRN, and possibly also the identity of each of the stub links, could be configured into a directory, which edge routers could query, using some defined mechanism (e.g. LDAP), upon configuration of their local stub interfaces and VPN identifier. Using a directory allows either a full mesh topology or an arbitrary topology to be configured. For a full mesh, the full list of member routers in a VPRN is distributed everywhere. For an arbitrary topology, different routers may receive different member lists. Using a directory allows for authorization checking prior to disseminating VPRN membership information, which may be desirable where VPRNs span multiple administrative domains. In such a case, directory to directory protocol mechanisms could also be used to propagate authorized VPRN membership information between the directory systems of the multiple administrative domains. There would also need to be some form of database synchronization mechanism (e.g. triggered or regular polling of the directory by edge routers, or active pushing of update information to the edge routers by the directory) in order for all edge routers to learn the identity of newly configured sites inserted into an active VPRN, and also to learn of sites removed from a VPRN. B. Explicit Management Configuration: Gleeson et al. [Page 18] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 A VPRN Management Information Base (MIB) could be defined which would allow a central management system to configure each edge router with the identities of each other participating edge router and possibly also the identity of each of the stub links. Similar mechanisms could also be used, as noted above, to configure the VPN bindings of the local stub links on the edge router. Like the use of a directory, this mechanism allows both full mesh and arbitrary topologies to be configured. Note that this mechanism allows the management station to impose strict authorization control; on the other hand, it may be more difficult to configure edge routers outside the scope of the management system. The management configuration model can also be considered a subset of the directory method, in that the (management) directories could use MIBs to push VPRN membership information to the participating edge routers, either subsequent to, or as part of, the local stub link configuration process. C. Piggybacking in Routing Protocols: VPRN membership information could be piggybacked into the routing protocols run by each edge router across the IP backbone, since this is an efficient means of automatically propagating information throughout the network to other participating edge routers. Specifically, each route advertisement by each edge router could include, at the minimum, the set of VPN identifiers associated with each edge router, and adequate information to allow other edge routers to determine the identity of, and/or, the route to, the particular edge router. Other edge routers would examine received route advertisements to determine if any contained information was relevant to a supported (i.e. configured) VPRN; this determination could be done by looking for a VPN identifier matching a locally configured VPN. The nature of the piggybacked information, and related issues, such as scoping, and the means by which the nodes advertising particular VPN memberships will be identified, will generally be a function both of the routing protocol and of the nature of the underlying transport, and is discussed further in Appendix A. Using this method all the routers in the network will have the same view of the VPRN membership information, and so a full mesh topology is easily supported. Supporting an arbitrary topology is more difficult, however, since some form of pruning would seem to be needed. The advantage of the piggybacking scheme is that it allows for very efficient information dissemination, particularly across multiple routing domains (e.g. across different autonomous systems/ISPs) but Gleeson et al. [Page 19] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 it does require that all nodes in the path, and not just the participating edge routers, be able to accept such modified route advertisements. On the other hand, significant administrative complexity may be required to configure scoping mechanisms so as to both permit and constrain the dissemination of the piggybacked advertisements, and in itself this may be quite a configuration burden. Furthermore, unless some security mechanism is used for routing updates so as to permit only all relevant edge routers to read the piggybacked advertisements, this scheme generally implies a trust model where all routers in the path must perforce be authorized to know this information. Depending upon the nature of the routing protocol, piggybacking may also require intermediate routers, particularly autonomous system (AS) border routers, to cache such advertisements and potentially also re-distribute them between multiple routing protocols. Each of the schemes described above have merit in particular situations. Note that, in practice, there will almost always be some directory or management system which will maintain VPRN membership information, since, as noted above, the binding of VPRNs to stub links must be configured, hence, presumably, such information would be obtained from, and stored within, some database. Hence the additional steps to facilitate the configuration of such information into edge routers, and/or, facilitate edge router access to such information, may not be excessively onerous. 6.1.3 Stub Link Reachability Information There are two aspects to stub site reachability - the means by which VPRN edge routers determine the set of VPRN addresses and address prefixes reachable at each stub site, and the means by which the CPE routers learn the destinations reachable via each stub link. A number of common scenarios are outlined below. In each case the information needed by the ISP edge router is the same - the set of VPRN addresses reachable at the customer site, but the information needed by the CPE router differs. 1. The CPE router is connected via one link to an ISP edge router, which provides both VPRN and Internet connectivity. This is the simplest case for the CPE router, as it just needs a default route pointing to the ISP edge router. 2. The CPE router is connected via one link to an ISP edge router, which provides VPRN, but not Internet, connectivity. Gleeson et al. [Page 20] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 The CPE router must know the set of non-local VPRN destinations reachable via that link - the VPRN default route. This may be a single prefix, or may be a number of disjoint prefixes. The CPE router may be either statically configured with this information, or may learn it dynamically by running an instance of an IGP. For simplicity it is assumed that the IGP used for this purpose is RIP, though it could be any IGP. The ISP edge router will inject into this instance of RIP the VPRN default route, which it learns by means of one of the intra-VPRN reachability mechanisms described in section 6.1.4. Note that the instance of RIP run to the CPE, and any instance of a routing protocol used to learn intra-VPRN reachability (even if also RIP) are separate, with the ISP edge router redistributing the routes from one instance to another. 3. The CPE router is multihomed to the ISP network, which provides VPRN connectivity. In this case all the ISP edge routers could advertise the same VPRN default route to the CPE router, which then sees all VPRN prefixes equally reachable via all links. More specific route redistribution is also possible, whereby each ISP edge router advertises specific prefixes (perhaps the ones locally connected) in addition to, or with more favoured metrics than, the VPRN default route. 4. The CPE router is connected to the ISP network, which provides VPRN connectivity, but also has a backdoor link to another customer site In this case the ISP edge router will advertise the VPRN default route as in case 2. However now the same destination is reachable via both the ISP edge router and via the backdoor link. If the CPE routers connected to the backdoor link are running the customer's IGP, then the backdoor link may always be the favoured link as it will appear an an 'internal' path, whereas the destination as injected via the ISP edge router will appear as an 'external' path (to the customer's IGP). To avoid this problem, assuming that the customer wants the traffic to traverse the ISP network, then a separate instance of RIP should be run between the CPE routers at both ends of the backdoor link, in the same manner as an instance of RIP is run on a stub or backup link between a CPE router and an ISP edge router. This will then also make the backdoor link appear as an external path, and by adjusting the link costs appropriately, the ISP path can always be favoured, unless it goes down, when the backdoor link is then used. The description of the above scenarios covers what reachability information is needed by the ISP edge routers and the CPE routers, and discusses some of the mechanisms used to convey this information. Gleeson et al. [Page 21] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 The sections below look at these mechanisms in more detail. A. Routing Protocol Instance: A routing protocol can be run between the CPE edge router and the ISP edge router to exchange reachability information. This allows an ISP edge router to learn the VPRN prefixes reachable at a customer site, and also allows a CPE router to learn the destinations reachable via its stub links. The extent of the routing domain for this protocol instance is generally just the ISP edge router and the CPE router although if the customer site is also running the same protocol as its IGP, then the domain may extend into customer site. If the customer site is running a different routing protocol then the CPE router redistributes the routes between the instance running to the ISP edge router, and the instance running into the customer site. Given the typically restricted scope of this routing instance, a simple protocol will generally suffice. RIPv2 [Malkin] is likely to be the most common protocol used, though any routing protocol, such as OSPF [Moy], or BGP-4 [Rekhter2] run in internal mode (IBGP), could also be used. Note that the instance of the stub link routing protocol is different from any instance of a routing protocol used for intra-VPRN reachability. For example, if the ISP edge router uses routing protocol piggybacking to disseminate VPRN membership and reachability information across the core, then it may redistribute suitably labeled routes from the CPE routing instantiation to the core routing instantiation. The routing protocols used for each instantiation are decoupled, and any suitable protocol can be used in each case. There is no requirement that the same protocol, or even the same stub link reachability information gathering mechanism, be run between each CPE router and associated ISP edge router in a particular VPRN, since this is a purely local matter. This decoupling allows ISPs to deploy a common (across all VPRNs) intra-VPRN reachability mechanism, and a common stub link reachability mechanism, with these mechanisms isolated both from each other, and from the particular IGP used in a customer network. In the first case, due to the IGP-IGP boundary implemented on the ISP edge router, the ISP can insulate the intra-VPRN reachability mechanism from misbehaving stub link protocol instances. In the second case the ISP is not required to be aware of the particular IGP running in a customer site. Other scenarios are possible, where the ISP edge routers are running a routing protocol in the same instance as the customer's IGP, but are unlikely to be practical, since it defeats Gleeson et al. [Page 22] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 the purpose of a VPRN simplifying CPE router configuration. In cases where a customer wishes to run an IGP across multiple sites, a VPLS solution is more suitable. Note that if a particular customer site concurrently belongs to multiple VPRNs (or wishes to concurrently communicate with both a VPRN and the Internet), then the ISP edge router must have some means of unambiguously mapping stub link address prefixes to particular VPRNs. A simple way is to have multiple stub links, one per VPRN. It is also possible to run multiple VPRNs over one stub link. This could be done either by ensuring (and appropriately configuring the ISP edge router to know) that particular disjoint address prefixes are mapped into separate VPRNs, or by tagging the routing advertisements from the CPE router with the appropriate VPN identifier. For example if MPLS was being used to convey stub link reachability information, different MPLS labels would be used to differentiate the disjoint prefixes assigned to particular VPRNs. In any case, some administrative procedure would be required for this coordination. B. Configuration: The reachability information across each stub link could be manually configured, which may be appropriate if the set of addresses or prefixes is small and static. C. ISP Administered Addresses: The set of addresses used by each stub site could be administered and allocated via the VPRN edge router, which may be appropriate for small customer sites. In such a case the ISP edge router could determine these addresses by proxying for the particular address administration mechanism (e.g. DHCP). Note that in this case it would be the responsibility of the address allocation mechanism to ensure that each site in the VPN received a disjoint address space. Note also that an ISP would typically only use this mechanism for small stub sites, which are unlikely to have backdoor links. D. MPLS Label Distribution Protocol: In cases where the CPE router runs MPLS, the MPLS LDP could be extended to convey the set of prefixes at each stub site, together with the appropriate labeling information. While LDP is not generally considered a routing protocol per se, it may be useful to extend it for this particular constrained scenario. This is for further study. Gleeson et al. [Page 23] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 6.1.4 Intra-VPN Reachability Information Once an edge router has determined the set of prefixes associated with each of its stub links, then this information must be disseminated to each other edge router in the VPRN. Note also that there is an implicit requirement that the set of reachable addresses within the VPRN be locally unique that is, each VPRN stub link (not performing load sharing) maintain an address space disjoint from any other, so as to permit unambiguous routing. In practical terms, it is also generally desirable, though not required, that this address space be well partitioned i.e. specific, disjoint address prefixes per stub link, so as to preclude the need to maintain and disseminate large numbers of host routes. The intra-VPN reachability information dissemination can be solved in a number of ways, some of which include the following: A. Directory Lookup: Along with VPRN membership information, a central directory could maintain a listing of the address prefixes associated with each end point. Such information could be obtained by the server through protocol interactions with each edge router. Note that the same directory synchronization issues discussed above would apply in this case. B. Explicit Configuration: The address spaces associated with each edge router could be explicitly configured into each other router. This is clearly a non- scalable solution, particularly when arbitrary topologies are used, and also raises the question of how the management system learns such information in the first place. C. Local Intra-VPRN Routing Instantiations: In this approach, each edge router runs an instantiation of a routing protocol (a 'virtual router') per VPRN, running across the VPRN tunnels to each peer edge router, to disseminate intra-VPRN reachability information. Both full-mesh and arbitrary VPRN topologies can be easily supported, since the routing protocol itself can run over any topology. The intra-VPRN routing advertisements could be distinguished from normal tunnel data packets either by being addressed directly to the peer edge router, or by a tunnel specific mechanism. Note that this intra-VPRN routing protocol need have no relationship either with the IGP of each customer site or with the routing Gleeson et al. [Page 24] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 protocols operated by the ISPs in the IP backbone. Specifically, the intra-VPRN routing protocol operates as an overlay over the IP backbone, and could be a simple protocol, such as RIPv2 [Malkin], at least unless the VPRN spans a very large number of edge routers. Since the intra-VPN routing protocol runs as an overlay, it is also wholly transparent to any intermediate routers, and to any edge routers not within the VPRN. This also implies that such routing information can also remain opaque to such routers, which may be a necessary security requirements in some cases. If the tunnels over which an intra-VPRN routing protocol runs are dedicated to a specific VPN (e.g. a different multiplexing field is used for each VPN) then no changes are needed to the routing protocol itself. On the other hand if shared tunnels are used, then it is necessary to extend the routing protocol to allow a VPN-ID field to be included in routing update packets, to allow sets of prefixes to be associated with a particular VPN. D. Link Reachability Protocol Given a full mesh topology, each edge router could run a link reachability protocol - for instance, some variation of the MPLS LDP - across the tunnel to each peer edge router in the VPRN, carrying the VPN ID and the reachability information of each VPRN running across the tunnel between the two edge routers. The specification of such a protocol would need to include aspects of current routing protocols such as hello protocols, and re-transmit timers and/or positive acknowledgements. However, such an approach may reduce the processing burden of running routing protocol instantiations per VPRN, and may be of particular benefit where a shared tunnel mechanism is used to connect a set of edge routers supporting multiple VPRNs. Another approach to a link reachability protocol would be to base it on IBGP. The problem that needs to be solved by a link reachability protocol is very similar to that solved by IBGP - conveying address prefixes reliably between edge routers. Using a link reachability protocol it is straightforward to support a full mesh topology - each edge router conveys its own local reachability information to all other routers, but does not redistribute information received from any other router. However once an arbitrary topology needs to be supported, the link reachability protocol in effect develops into a full routing protocol, due to the need to implement mechanisms to avoid loops, and the issues discussed in section 6.1.4C above, apply. E. Piggybacking in IP Backbone Routing Protocols: Gleeson et al. [Page 25] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 As with VPRN membership, the set of address prefixes associated with each stub interface could also be piggybacked into the routing advertisements from each edge router and propagated through the network. Other edge routers would extract this information from received route advertisements in the same way as they would obtain the VPRN membership information (which, in this case, is implicit in the identification of the source of each route advertisement). Note that this scheme may require, depending upon the nature of the routing protocols involved, that intermediate routers, e.g. border routers, cache intra-VPRN routing information in order to propagate it further. This also has implications for the trust model, and for the level of security possible for intra-VPRN routing information. Note that in any of the cases discussed above, an edge router has the option of disseminating its stub link prefixes in a manner so as to permit tunneling from remote edge routers directly to the egress stub links. Alternatively, it could disseminate the information so as to associate all such prefixes with the edge router, rather than with specific stub links. In this case, the edge router would need to implement a VPN specific forwarding mechanism for egress traffic, to determine the correct egress stub link. The advantage of this is that it may significantly reduce the number of distinct tunnels or tunnel label information which need to be constructed and maintained. Note that this choice is purely a local manner and is not visible to remote edge routers. 6.1.5 Tunneling Mechanisms Once VPRN membership information has been disseminated, the tunnels comprising the VPRN can be constructed. One approach to setting up the tunnel mesh is to use point-to-point IP tunnels, and the requirements and issues for such tunnels are discussed in section 5.0, on VLLs. For example while tunnel establishment can be done through manual configuration, this is clearly not likely to be a scalable solution, given the o(n^2) problem of meshed links. As such, tunnel set up should use some form of signaling protocol which would allow two nodes to construct a tunnel to each other knowing only each other's identity. Another approach is to use the multipoint to point 'tunnels' provided by MPLS. As noted in [Heinanen1], MPLS can be considered to be a form of IP tunneling, since the labels of MPLS packets allow for routing decisions to be decoupled from the addressing information of the packets themselves. MPLS label distribution mechanisms can be used to associate specific sets of MPLS labels with particular VPRN address prefixes supported on particular egress points (i.e. stub Gleeson et al. [Page 26] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 links of edge routers) and hence allow other edge routers to explicitly label and route traffic to particular VPRN stub links. One attraction of MPLS as a tunneling mechanism is that it may require less processing within each edge router than alternative tunneling mechanisms. This is a function of the fact that data security within a MPLS network is implicit in the explicit label binding, much as with a connection oriented network, such as Frame Relay. This may hence lessen customer concerns about data security and hence require less processor intensive security mechanisms (e.g. IPSec). However there are other potential security concerns with MPLS. There is no direct support for security features such as authentication, confidentiality, and non-repudiation and the trust model for MPLS means that intermediate routers, (which may belong to different administrative domains), through which membership and prefix reachability information is conveyed, must be trusted, not just the edge routers themselves. 6.2 Multihomed Stub Routers The discussion thus far has implicitly assumed that stub routers are connected to one and only one VPRN edge router. In general, this restriction should be capable of being relaxed without any change to VPRN operation, given general market interest in multihoming for reliability and other reasons. In particular, in cases where the stub router supports multiple redundant links, with only one operational at any given time, with the links connected either to the same VPRN edge router, or to two or more different VPRN edge routers, then the stub link reachability mechanisms will both discover the loss of an active link, and the activation of a backup link. In the former situation, the previously connected VPRN edge router will cease advertising reachability to the stub node, while the VPRN edge router with the now active link will begin advertising reachability, hence restoring connectivity. An alternative scenario is where the stub node supports multiple active links, using some form of load sharing algorithm. In such a case, multiple VPRN edge routers may have active paths to the stub node, and may so advertise across the VPRN. This scenario should not cause any problem with reachability across the VPRN providing that the intra-VPRN reachability mechanism can accommodate multiple paths to the same prefix, and has the appropriate mechanisms to preclude looping - for instance, distance vector metrics associated with each advertised prefixes. This subject is for further study. Gleeson et al. [Page 27] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 6.3 Multicast Support Multicast and broadcast traffic can be supported across VPRN either by edge replication or by native multicast support in the backbone. These two cases are discussed below. 6.3.1 Edge Replication This is where each VPRN edge router replicates multicast traffic for transmission across each link in the VPRN. Note that this is the same operation that would be performed by CPE routers terminating actual physical links or dedicated connections. As with CPE routers, multicast routing protocols could also be run on each VPRN edge router to determine the distribution tree for multicast traffic and hence reduce unnecessary flood traffic. This could be done by running an instantiation of standard multicast routing protocols, e.g. Protocol Independent Multicast (PIM) [Estrin] or the Distance Vector Multicast Routing Protocol (DVMRP) [Waitzman], on and between each VPRN edge router, through the VPRN tunnels, in the same way that unicast routing protocols might be run at each VPRN edge router to determine intra-VPN unicast reachability, as discussed in Section 6.1.4. Alternatively, if a link reachability protocol was run across the VPRN tunnels for intra-VPRN reachability, then this could also be augmented to allow VPRN edge routers to indicate both the particular multicast groups requested for reception at each edge node, and also the multicast sources at each edge site. In either case, there would need to be some mechanism to allow for the VPRN edge routers to determine which particular multicast groups were requested at each site and which sources were present at each site. How this could be done would, in general, be a function of the capabilities of the CPE stub routers at each site. If these could also run multicast routing protocols, then these could interact directly with the equivalent protocols at each VPRN edge router, else they could forward the Internet Group Management Protocol (IGMP) [Fenner] packets to the VPRN edge router for appropriate processing. 6.3.2 Native Multicast Support This is where VPRN edge routers map intra-VPN multicast traffic onto a native IP multicast distribution mechanism across the backbone. Note that the latter is not synonymous with the use of native multicast mechanisms per se - e.g. the use of IP multicast across the backbone - since intra-VPN multicast has the same requirements for isolation from general backbone traffic as intra-VPRN unicast traffic. Currently the only IP tunneling mechanism that has native support for multicast is MPLS. On the other hand, while MPLS supports native transport of IP multicast packets, additional Gleeson et al. [Page 28] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 mechanisms would be needed to leverage these mechanisms for the support of intra-VPN multicast. For instance, each VPRN router could prefix multicast group addresses within each VPRN with the VPN ID of that VPRN and then redistribute these, essentially treating this VPN ID/intra-VPRN multicast address tuple as a normal multicast address, within the backbone multicast routing protocols, as with the case of unicast reachability, as discussed previously. The MPLS multicast label distribution mechanisms could then be used to set up the appropriate multicast LSPs to interconnect those sites within each VPRN supporting particular multicast group addresses. Note, however, that this would require each of the intermediate LSRs to not only be aware of each intra-VPRN multicast group, but also to have the capability of interpreting these modified advertisements. Alternatively, mechanisms could be defined to map intra-VPRN multicast groups into backbone multicast groups. The details of such mechanisms are for further study. Other IP tunneling mechanisms do not have native multicast support. It may prove feasible to extend such tunneling mechanisms by allocating IP multicast group addresses to the VPRN as a whole and hence distributing intra-VPRN multicast traffic encapsulated within backbone multicast packets. Edge VPRN routers could filter out unwanted multicast groups. Alternatively, mechanisms could also be defined to allow for allocation of backbone multicast group addresses for particular intra-VPRN multicast groups, and to then utilize these, through backbone multicast protocols, as discussed above, to limit forwarding of intra-VPRN multicast traffic only to those nodes within the group. The details of such mechanisms are for further study. A particular issue with the use of native multicast support is the provision of security for such multicast traffic. Unlike the case of edge replication, which inherits the security characteristics of the underlying tunnel, native multicast mechanisms will need to use some form of secure multicast mechanism. At present, most aspects of such mechanisms, for instance using IPSec, are not wholly specified [Wallner] and further study will likely be needed before secure native multicast mechanisms can be generally deployed. 6.4 Specification Recommendations There have already been proposals for adapting routing protocols to carry VPN information to support the router piggybacking mechanisms [Heinanen1], particularly in MPLS networks. Some ISPs, however, may prefer schemes that do not couple VPN membership and reachability Gleeson et al. [Page 29] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 mechanisms with the backbone routing protocols, hence a set of mechanisms that do not require piggybacking should also be standardized. In particular the following are needed - a standard format for a globally unique VPN identifier. - a membership distribution protocol based on a directory or MIB. Also for the constrained case of a full mesh topology, the usefulness of developing a link reachability protocol could be examined. Extending routing protocols to allow a VPN-ID to carried in routing update packets could also be examined, but is not necessary if VPN specific tunnels are used. Note also that the MPLS WG group is working on MPLS-specific mechanisms for VPRNs [Heinanen2]. 7.0 VPN Types: Virtual Private Dial Networks A virtual private dial network (VPDN) allows for remote users to connect on demand into remote sites through ad hoc tunnels. The distinguishing characteristic of such ad hoc connections is their binding between a particular user and a central site. As such, user authentication, through whatever means, is a prime requirement. Most such connections are made today through dial connections made through the PSTN, with users setting up PPP connections across an access network to a Network Access Server (NAS), at which point the PPP sessions are authenticated using AAAA systems running such standard protocols as RADIUS [Rigney]. Given the pervasive deployment of such systems, any VPDN system must practically allow for the near transparent re-use of such existing systems. There has been significant work completed on the Layer 2 Tunneling Protocol (L2TP) [Valencia1], building upon the earlier PPTP [Zorn] and L2F [Valencia2] protocols. L2TP allows for the extension of user PPP sessions from a L2TP access concentrator (LAC) to a remote L2TP network server (LNS). Notwithstanding, however, the widespread industry support for L2TP, there are two quite different VPDN scenarios, which may call for different solutions. 7.1 Compulsory Tunneling Compulsory tunneling refers to a case in which a network node - a dial or network access server, for instance - acting as a LAC, extends a PPP session across a backbone using L2TP to a remote LNS. Gleeson et al. [Page 30] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 This operation is transparent to the user initiating the PPP session to the LAC. Support of this scenario was the original intent of the L2F specification, upon which the L2TP specification was based. Compulsory tunneling was originally intended for deployment on dial access servers supporting VPDN or wholesale dial services, allowing for remote dial access through common facilities to an enterprise site, while precluding the need for the enterprise to deploy its own dial servers. More recently, compulsory tunneling mechanisms have also been proposed for evolving xDSL services [ADSL1], [ADSL2], which also seek to leverage the existing AAAA infrastructure. 7.1.1 Call Routing Call routing for compulsory tunnels requires that some aspect of the initial PPP call set up can be used to allow the LAC to determine the identity of the LNS. As noted in [Aboba1], these aspects can include the user identity, as determined through some aspect of the access network, including calling party number, or some attribute of the called party, such as the fully qualified domain name (FQDN) of the CHAP/PAP user name. 7.1.2 Security Mechanisms By allowing for the transparent extension of PPP from the user, through the LAC to the LNS, L2TP allows for the use of whatever security mechanisms, with respect to both connection set up, and data transfer, may be used with normal PPP connections. However this does not provide security for the L2TP control protocol itself. In this case L2TP could be further secured by running it over IPSec through IP backbones [Patel], or related mechanisms on non-IP backbones [Calhoun2]. The interaction of L2TP with AAAA systems for user authentication and authorization is a function of the specific means by which L2TP is used, and the nature of the devices supporting the LAC and the LNS. These issues are discussed in depth in [Aboba1]. The means by which the host determines the correct LAC to connect to, and the means by which the LAC determines which users to further tunnel, and the LNS parameters associated with each user, are outside the scope of the operation of VPDN, but may be addressed, by for instance, evolving Internet roaming specifications [Aboba2]. Gleeson et al. [Page 31] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 7.1.3 Traffic Management L2TP support a complex flow control scheme that can be requested by either party in order to minimize packet loss due to receiver congestion. Furthermore, L2TP, by transparently extending PPP, has inherent support for such PPP mechanisms as multi-link PPP [Sklower] and its associated control protocols [Richard], which allow for bandwidth on demand to meet user requirements. Beyond these capabilities, L2TP itself does not have any specific traffic management mechanisms. As noted also for VLLs, however, L2TP calls could be mapped into whatever underlying traffic management mechanisms may exist in the network, and there are proposals to allow for requests through L2TP signaling for specific differentiated services behaviors [Calhoun1]. 7.1.4 Call Multiplexing L2TP has inherent support for the multiplexing of multiple calls from different users over a single link. Between the same two IP endpoints, there can be multiple L2TP tunnels, as identified by a tunnel-id, and multiple calls within a tunnel, as identified by a call-id. 7.1.5 Address Management Since L2TP is designed to transparently extend PPP, it does not attempt to supplant the normal address assignment mechanisms associated with PPP. Hence, in general terms the host initiating the PPP session will be assigned addressing by the LNS using PPP procedures. This addressing may have no relation to the addressing used for communication between the LAC and LNS. The LNS will also need to support whatever forwarding mechanisms are needed to route traffic to and from the remote host. 7.1.6 Support for Large MTUs As with VLLs, it cannot be assumed that the MTU of the VPDN tunnel is necessarily less than or equal to that of the underling IP route, though the host may adjust the PPP payload MTU to preclude fragmentation. To this end, there are proposals to allow the use of MTU discovery for cases where the L2TP tunnel transports IP frames [Shea]. 7.2 Voluntary Tunnels A voluntary tunneling refers to cases where an individual host connects to a remote site using a tunnel originating on the host, Gleeson et al. [Page 32] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 with no involvement from intermediate network nodes. The PPTP specification, parts of which have been incorporated into L2TP, was based upon a voluntary tunneling model. The L2TP specification has support for voluntary tunneling, insofar as the LAC can be located on a host, not only on a network node. Note that such a host has two IP addresses - one for the LAC - LNS IP tunnel, and another, typically allocated via PPP, for the network to which the host is connecting. There has also been discussion, however, that PPP, and hence either L2TP or PPTP, may be unnecessary and excessively burdensome for voluntary tunnels, particularly when they need to be paired with IPSec for security purposes. It is proposed in [Gupta] that IPSec alone be used for voluntary tunnels, with the tunnels terminating on IPSec edge devices at the enterprise site. In this case IPSec will be used in tunnel mode, and the host will have two IP addresses, in a similar manner to the L2TP case. (Alternatively the host could use one IP address as the source IP address in both the inner and outer IP headers, with the gateway performing NAT before forwarding the inner header, after IPSec processing). The IPSec WG is currently examining this area, with the intent of developing authentication schemes tailored towards remote hosts, and to allow certain configuration parameters, such as the host's IP address and DNS server, to be configured via IKE. Using IPSec as the basis of a voluntary tunnel mechanism may yield a much lower overhead solution than the use of PPP and L2TP, but it does require either changes to host protocol stacks, or the use of host 'shims' to intercept and forward packets to VPDNs through IPSec. A number of proprietary solutions of the latter sort are currently commercially available, hence a standard mechanism may well be desirable. 7.3 Networked Host Support The current PPP based dial model assumes a host directly connected to a connection oriented dial access network. Recent work on new access technologies such a xDSL have attempted to replicate this model [ADSL], so as to allow for the re-use of existing AAAA systems. The proliferation of personal computers, printers and other network appliances in homes and small businesses, and the ever lowering costs of networks, however, are increasingly challenging the directly connected host model. Increasingly, most hosts will access the Internet through small, typically Ethernet, local area networks (LANs). Gleeson et al. [Page 33] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 There is hence interest in means of accommodating the existing AAAA infrastructure within service providers, whilst also supporting multiple networked hosts at each customer site. The principal complication with this scenario is the need to support the login dialogue, through which the appropriate AAAA information is exchanged. A number of proposals have been made to address this scenario: A. Extension of PPP to Hosts Through L2TP: A number of proposals (e.g. [ADSL1]) have been made to extend L2TP over Ethernet so that PPP sessions can run from networked hosts out to the network, in much the same manner as a directly attached host. B. Extension of PPP Directly to Hosts: There are also proposals to map PPP directly onto Ethernet ([Evarts], [Shieh1], [Shieh2]), and to use a broadcast mechanism to allow hosts to find appropriate access servers with which to connect. Presumably such servers could then further tunnel, if needed, the PPP sessions using L2TP or similar mechanism. C. Use of IPSec: The IPSec based voluntary tunneling mechanism discussed above is independent of either access method or PPP and hence could as easily be used with networked or directly connected hosts. All of these methods require either host protocol changes, but the former two do allow the continued use of the various ancillary mechanisms of PPP, including address allocation, autoconfiguration, etc, albeit at the cost of greater overhead. 7.4 Specification Recommendations The L2TP specifications are currently near finalization and hence are the clear choice for VPDNs using compulsory tunneling. Further study needs to be done, however, to determine the most appropriate solution for voluntary tunneling. On approach is a PPP based solution, running over L2TP or some other form of link emulation protocol for the networked host scenario. Another approach is an IPSec based mechanism, with extensions to IKE for necessary host configuration. In the latter case, it may be desirable to maximize commonality with any IPSec based VLL tunneling mechanism. Gleeson et al. [Page 34] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 8.0 VPN Types: Virtual Private LAN Segment 8.0 VPN Types: Virtual Private LAN Segment A virtual private LAN segment (VPLS) is the emulation of a LAN segment using Internet facilities. A VPLS can be used to provide what is sometimes known also as a transparent LAN service (TLS), which can be used to interconnect multiple stub CPE nodes, either bridges or routers, in a protocol transparent manner. A VPLS emulates a LAN segment over IP, in the same way as protocols such as LANE [ATMF1] emulate a LAN segment over ATM. The primary benefits of a VPLS are complete protocol transparency, which may be important both for multiprotocol transport and for regulatory reasons in particular service provider contexts. 8.1 VPLS Requirements Topologically and operationally a VPLS can be most easily modelled as being essentially equivalent to a VPRN, except that each VPLS edge node implements link layer bridging rather than network layer forwarding. As such, most of the VPRN tunneling and configuration mechanisms discussed previously can also be used for a VPLS, with the appropriate changes to accommodate link layer, rather than network layer, packets and addressing information. The following sections discuss the primary changes needed in VPRN operation to support VPLSs. 8.1.1 Tunneling Protocols The tunneling protocols employed within a VPLS could be exactly the same as those used within a VPRN, if the tunneling protocol permitted the transport of multiprotocol traffic. Since the primary tunneling protocols discussed thus far have this capability, this will be assumed below. 8.1.2 Multicast and Broadcast Support A VPLS needs to have a broadcast capability. This is needed both for broadcast frames, and for link layer packet flooding, where a unicast frame is flooded because the path to the destination link layer address is unknown. The address resolution protocols that run over a bridged network typically use broadcast frames (e.g. ARP). The same set of possible multicast tunneling mechanisms discussed earlier for VPRNs apply also to a VPLS, though the generally more frequent use of broadcast in VPLSs may increase the pressure for native multicast support that reduces, for instance, the burden of replication on VPLS edge nodes. Gleeson et al. [Page 35] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 8.1.3 VPLS Membership Configuration and Topology The configuration of VPLS membership is analogous to that of VPRNs since this generally requires only knowledge of the local VPN link assignments at any given VPLS edge node, and the identity of, or route to, the other edge nodes in the VPLS; in particular, such configuration is independent of the nature of the forwarding at each VPN edge node. As such, any of the mechanisms for VPN member configuration and dissemination discussed for VPRN configuration can also be applied to VPLS configuration. Also as with VPRNs, the topology of the VPLS could be easily manipulated by controlling the configuration of peer nodes at each VPLS edge node, assuming that the membership dissemination mechanism was such as to permit this. It is likely that typical VPLSs will be fully meshed, however, in order to preclude the need for traffic between two VPLS nodes to transit through another VPLS node, which would then require the use of the spanning tree protocol [IEEE] for loop prevention. 8.1.4 CPE Stub Node Types Unlike a VPLS in which the CPE nodes are assumed to be routers, a VPLS can support either bridges or routers as a CPE device. CPE routers would peer transparently across a VPLS with each other without requiring any router peering with any nodes within the VPLS. The same scalability issues that apply to a full mesh topology for VPRNs, apply also in this case, only that now the number of peering routers is potentially greater, since the ISP edge device is no longer acting as an aggregation point. With CPE bridge devices the broadcast domain encompasses all the CPE sites as well as the VPLS itself. There are severe scalability constraints in this case, due to the need for packet flooding, and the fact that any topology change in the bridged domain is not localized, but is visible throughout the domain. As such this scenario is generally only suited for non-routable protocols. The nature of the CPE impacts the nature of the encapsulation, addressing, forwarding and reachability protocols within the VPLS, and are discussed separately below. 8.1.5 Stub Link Packet Encapsulation A. Bridge CPE: In this case, packets sent to and from the VPLS across stub links are link layer frames, with a suitable access link encapsulation. The most common case is likely to be ethernet frames, using an Gleeson et al. [Page 36] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 encapsulation appropriate to the particular access technology, such as ATM, connecting the CPE bridges to the VPLS edge nodes. Such frames are then forwarded at layer 2 onto a tunnel used in the VPLS. As noted previously, this does mandate the use of an IP tunneling protocol which can transport such link layer frames. Note that this does not necessarily mandate, however, the use of a protocol identification field in each tunnel packet, since the nature of the encapsulated traffic (e.g. ethernet frames) could be indicated at tunnel setup. B. Router CPE: In this case, typically, CPE routers send link layer packets to and from the VPLS across stub links, destined to the link layer addresses of their peer CPE routers. Other types of encapsulations may also prove feasible in such a case, however, since the relatively constrained addressing space needed for a VPLS to which only router CPE are connected, could allow for alternative encapsulations, as discussed further below. 8.1.6 CPE Addressing and Address Resolution A. Bridge CPE: Since a VPLS operates at the link layer, all hosts within all stub sites, in the case of bridge CPE, will typically be in the same network layer subnet. (Multinetting, whereby multiple subnets operate over the same LAN segment, is possible, but much less common). Frames are forwarded across and within the VPLS based upon the link layer addresses - e.g. IEEE MAC addresses - associated with the individual hosts. The VPLS needs to support broadcast traffic, such as that typically used for the address resolution mechanism used to map the host network addresses to their respective link addresses. The VPLS forwarding and reachability algorithms also need to be able to accommodate flooded traffic. B. Router CPE: A single network layer subnet is generally used to interconnect router CPE devices, across a VPLS. Behind each CPE router are hosts in different network layer subnets. CPE routers transfer packets across the VPLS by mapping next hop network layer addresses to the link layer addresses of a router peer. A link layer encapsulation is used, most commonly ethernet, as for the bridge case. As noted above, however, in cases where all of the CPE nodes connected to the VPLS are routers, then it may be possible, due to the constrained addressing space of the VPLS, to use encapsulations Gleeson et al. [Page 37] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 that use a different address space than normal MAC addressing. See, for instance, [Jamieson], for a proposed mechanism for VPLSs over MPLS networks, leveraging earlier work on VPRN support over MPLS [Heinanen1], which proposes MPLS as the tunneling mechanism, and locally assigned MPLS labels as the link layer addressing scheme to identify the CPE LSR routers connected to the VPLS. 8.1.7 VPLS Edge Node Forwarding and Reachability Mechanisms A. Bridge CPE: The only practical VPLS edge node forwarding mechanism in this case is likely to be standard link layer packet flooding and MAC address learning, as per [IEEE]. As such, no explicit intra-VPLS reachability protocol will be needed, though there will be a need for broadcast mechanisms to flood traffic, as discussed above. In general, it may not prove necessary to also implement the spanning tree protocol [IEEE] between VPLS edge nodes, if the VPLS topology is such that no VPLS edge node is used for transit traffic between any other VPLS edge nodes - in other words, where there is both full mesh connectivity and transit is explicitly precluded. On the other hand, the CPE bridges may well implement the spanning tree protocol in order to safeguard against 'backdoor' paths that bypass connectivity through the VPLS. B. Router CPE: Standard bridging techniques can also be used in this case. In addition, the smaller link layer address address space of such a VPLS may also permit other techniques, with explicit link layer routes between CPE routers. [Jamieson], for instance, proposes that MPLS LSPs be set up, at the insertion of any new CPE router into the VPLS, between all CPE LSRs. This then precludes the need for packet flooding. In the more general case, if stub link reachability mechanisms were used to configure VPLS edge nodes with the link layer addresses of the CPE routers connected to them, then modifications of any of the intra-VPN reachability mechanisms discussed for VPRNs could be used to propagate this information to each other VPLS edge node. This would then allow for packet forwarding across the VPLS without flooding. Mechanisms could also be developed to further propagate the link layer addresses of peer CPE routers and their corresponding network layer addresses across the stub links to the CPE routers, where such information could be inserted into the CPE router's address resolution tables. This would then also preclude the need for broadcast address resolution protocols across the VPLS. Gleeson et al. [Page 38] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 Clearly there would be no need for the support of spanning tree protocols if explicit link layer routes were determined across the VPLS. If normal flooding mechanisms were used then spanning tree would only be required again only if full mesh connectivity was not available and hence VPLS nodes had to carry transit traffic. 8.2 Specification Recommendations There is significant commonality between VPRNs and VPLSs, and, where possible, this similarity should be exploited in order to reduce development and configuration complexity. In particular, VPLSs should utilize the same tunneling and membership configuration mechanisms, with changes only to reflect the specific characteristics of VPLSs. Since one of the primary advantages of VPLSs is protocol transparency, it is likely that any general VPLS specification will need to support bridge CPE. As such, development of VPLS encapsulation, forwarding and reachability protocol mechanisms should prioritize support of bridge CPE through the support of ethernet encapsulations and standard link layer flooding and address learning mechanisms. As with VPRNs, there may be a need for specific mechanisms (e.g. [Jamieson]) for MPLS networks, and more generic mechanisms for non- MPLS networks. 9.0 Summary of Recommendations In this Draft different types of VPNs have been discussed individually, but there are many common requirements and mechanisms that apply to all types of VPNs, and many networks will contain a mix of different types of VPNs. It is useful to have as much commonality as possible across these different VPN types. In particular, by standardizing a relatively small number of mechanisms, it is possible to allow a wide variety of VPNs to be implemented. To this end serious consideration should be given to standardization efforts in the following areas - defining a generic VPN tunneling protocol (section 5.1) - defining a globally unique VPN identifier (section 6.1.1) - defining a VPN membership information configuration and dissemination mechanism, that uses some form of directory or MIB (section 6.1.2 A,B) Also the usefulness of defining a VPN link reachability protocol for Gleeson et al. [Page 39] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 the constrained case of a full mesh topology (section 6.1.4 D), could be examined. This is in addition to the work being done on MPLS-specific mechanisms in the MPLS WG. 10.0 Security considerations Security considerations are an integral part of any VPN mechanisms, and these are discussed in the sections describing those mechanisms. 11.0 Acknowledgements Thanks to Anthony Alles, of Shasta Networks, for his invaluable assistance in the generation of this Draft, and to Joel Halpern, of Newbridge Networks, for his helpful review comments. 12.0 References [Aboba1] Aboba, B. and Zorn, G. - "Implementation of PPTP/L2TP Compulsory Tunneling via RADIUS", draft-ietf-radius-tunnel-imp- 03.txt. [Aboba2] Aboba, B. and Zorn, G. - "Requirements for Internet Roaming", draft- ietf-roamops-roamreq-10.txt. [ADSL1] ADSL Forum - "An Interoperable End-to-end Broadband Service Architecture over ADSL Systems (Version 3.0)", ADSL Forum 97-215. [ADSL2] ADSL Forum - "Core Network Architectures for ADSL Access Systems (Version 1.01)", ADSL Forum 998-017. [ATMF1] ATM Forum - "LAN Emulation over ATM 1.0", af-lane-0021.000, January 1995. [ATMF2] ATM Forum - "Multi-Protocol Over ATM Specification v1.0", af-mpoa-0087.000, June 1997. [Bates] Bates, T. "Multiprotocol Extensions for BGP-4", RFC 2283. [Bernet] Bernet, Y., et al - "A Framework for Differentiated Services", draft-ietf-diffserv-framework-00.txt. [Calhoun1] Calhoun, P. and Peirce, K. - "Layer Two Tunneling Protocol "L2TP" IP Differential Services Extension", draft-ietf-pppext-l2tp- Gleeson et al. [Page 40] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 ds-02.txt. [Calhoun2] Calhoun, P., et al - "Layer Two Tunneling Protocol "L2TP" Security Extensions for Non-IP networks", draft-ietf-pppext-l2tp- sec-04.txt. [Calhoun3] Calhoun, P. et al - "Tunnel Establishment Protocol", draft-ietf-mobileip-calhoun-tep-01.txt. [Callon] Callon, R., et al "Multiprotocol Label Switching Architecture", draft-ietf-mpls-arch-02.txt. [Chandra] Chandra, R. and Traina, P. "BGP Communities Attribute", RFC 1998. [Coltun] Coltun, R. "The OSPF Opaque LSA Option", RFC 2370. [Davie] Davie, B., et al - "Use of Label Switching with RSVP", draft-ietf-mpls-rsvp-00.txt [Estrin] Estrin, D., et al - "Protocol Independent Multicast-Sparse Mode (PIM-SM) Protocol Specification", RFC 2362. [Evarts] Evarts, J., et al - "PPP Over Ethernet "PPPOE"", draft- carrel-info- pppoe-00.txt. [Fenner] Fenner, W. - "Internet Group Management Protocol, Version 2", RFC 2236. [Ferguson] Ferguson, P. and Huston, G. - "What is a VPN?", Revision, April 1 1998; http://www.employees.org:80/~ferguson/vpn.pdf. [Gupta] Gupta, V. - "Secure, Remote Access over the Internet using IPSec", draft-gupta-ipsec-remote-access-00.txt. [Hanks] Hanks, S., et al "Generic Routing Encapsulation over Ipv4 Networks", RFC 1702. [Harkins] Harkins, D. and Carrel, D. "The Internet Key Exchange (IKE)", draft-ietf-ipsec-isakmp-oakley-08.txt. [Heinanen1] Heinanen, J. and Rosen, E. "VPN Support with MPLS" draft-heinanen-mpls-vpn-01.txt. [Heinanen2] Heinanen, J., et al - "MPLS Mappings of Generic VPN Mechanisms", draft-heinanen-generic-vpn-mpls-00.txt. [IEEE] ANSI/IEEE - 10038: 1993 (ISO/IEC) Information technology -- Gleeson et al. [Page 41] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 Telecommunications and information exchange between systems -- Local area networks -- Media access control (MAC) bridges, ANSI/IEEE Std 802.1D, 1993 Edition. [Jamieson] Jamieson, D., et al - "MPLS VPN Architecture", draft- jamieson-mpls-vpn-00.txt. [Kent] Kent, S. and Atkinson, R. "Security Architecture for the Internet Protocol", draft-ietf-ipsec-arch-sec-06.txt. [Li] Li, T. and Rekhter, Y. - "Provider Architecture for Differentiated Services and Traffic Engineering (PASTE)", draft-li- paste-00.txt. [Malkin] Malkin, G. "RIP Version 2 Carrying Additional Information", RFC 1723. [Moy] Moy, J. "OSPF Version 2", RFC 2328. [Patel] Patel, B. and Aboba, B. - "Securing L2TP using IPSEC", draft-ietf- pppext-l2tp-security-02.txt. [Rekhter1] Rekhter, Y., et al "Address Allocation for Private Internets", RFC 1918. [Rekhter2] Rekhter, Y. and Li, T. "A Border Gateway Protocol 4 (BGP-4)", RFC 1771. [Rekhter3] Rekhter, Y. and Rosen, E. "Carrying Label Information in BGP-4", draft-ietf-mpls-bgp4-mpls-00.txt. [Rigney] Rigney, C., et al - "Remote Authentication Dial In User Service (RADIUS)", RFC 2138. [Richard] Richard, C. and Smith, K. - "The PPP Bandwidth Allocation Protocol (BAP), The PPP Bandwidth Allocation Control Protocol (BACP)" RFC 2125. [Valencia1] Valencia, A., et al - "Layer Two Tunneling Protocol 'L2TP'", draft-ietf-pppext-l2tp-11.txt. [Shacham] Shacham, A., et al - "IP Payload Compression Protocol (IPComp)", draft-ietf-ippcp-protocol-06.txt. [Shea] Shea, R. - "L2TP-over-IP Path MTU Discovery (''L2TPMTU'')", draft- ietf-pppext-l2tpmtu-00.txt. [Shieh1] Shieh, P et al. "The Architecture for Extending PPP Gleeson et al. [Page 42] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 Connections for Home Network Clients", ADSL Forum contribution 98- 140. [Shieh2] Shieh, P et al. "The Requirement and Comparisons of Extending PPP over Ethernet", ADSL Forum contribution 98-141. [Simpson] Simpson, W. "IP in IP Tunneling", RFC 1853. [Sklower] Sklower, K., et al - "The PPP Multilink Protocol (MP)", RFC 1990. [Srisuresh] Srisuresh, P. and Holdrege, M. - "IP Network Address Translator (NAT) Terminology and Considerations", draft-ietf-nat- terminology-00.txt. [Thomas] Thomas, B., et al - "LDP Specification", draft-ietf-mpls- ldp-01.txt. [Valencia2] Valencia, A., et al "Cisco Layer Two Forwarding (Protocol) "L2F"", RFC 2341. [Waitzman] Waitzman, D., et al - "Distance Vector Multicast Routing Protocol", RFC 1075. [Wallne] Wallner, D., et al - "Key Management for Multicast: Issues and Architectures", draft-wallner-key-arch-01.txt. [Zorn] Zorn, G., et al - "Point-to-Point Tunneling Protocol--PPTP", draft- ietf-pppext-pptp-04.txt. 13.0 Author Information Bryan Gleeson Shasta Networks 249 Humboldt Court Sunnyvale CA 94089-1300 USA Tel: +1 (408) 548 3711 Email: bgleeson@shastanets.com Juha Heinanen Telia Finland, Inc. Myyrmaentie 2 01600 VANTAA Finland Tel: +358 303 944 808 Gleeson et al. [Page 43] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 Email: jh@telia.fi Arthur Lin Shasta Networks 249 Humboldt Court Sunnyvale CA 94089-1300 USA Tel: +1 (408) 548 3788 Email: alin@shastanets.com Grenville Armitage Bell Labs, Lucent Technologies 101 Crawfords Corner Rd Holmdel, NJ 07733-3030 USA Email: gja@lucent.com 14.0 Full Copyright Statement Copyright (C) The Internet Society (1998). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Gleeson et al. [Page 44] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 Appendix A: Routing Protocol Piggybacking As noted above, routing protocol piggybacking could be used to carry VPN membership information alone, or also VPN reachability information. The means by which this is done, and the nature of the piggyback information, is a function both of the particular routing protocol, and of the underlying network mechanism. The particular cases of OSPF and BGP-4 are discussed below. 6.2.1 OSPF OSPF is often used as an intra-AS routing protocol, and hence may be a required candidate for routing protocol piggybacking. One means by which VPN membership and reachability information could be piggybacked is through the use of the proposed OSPF opaque LSA [Coltun]. The exact details of how such a piggybacking advertisement might be coded are for further study. In particular, it may prove to be the case that opaque LSAs could be well suited for piggybacking VPN membership information, but not VPN reachability information, since opaque LSAs, at least as currently defined, are attributes of, not indexes into, reachability information. Using them in the latter manner, which would be required to piggyback VPN reachability information, may break some existing OSPF implementations. Opaque LSAs do, however, have a well defined scoping mechanism, that, at least within an AS, allows for control over the extent of dissemination of a VPN advertisement. Note also that as a link state protocol OSPF advertisements always allow for the identification of the source of an advertisement. However, each router in the OSPF network, and not only edge routers, will also need to examine received advertisements, and explicitly ignore piggybacked VPN advertisements, unless configured to be a VPN terminator (i.e. edge router). 6.2.2 BGP-4 There are a number of potential mechanisms by which VPN information could be piggybacked into BGP-4, including the Multiprotocol Extensions attribute [Bates] or the BGP communities attribute. In the case where VPN reachability information is piggybacked, each VPN address prefix could be encoded as Network Layer Reachability Information (NLRI) and bound to the VPN identifier as a community attribute, if the VPN ID has the format proposed previously. Note that in cases where it was desired only to advertise VPN membership information, then advertising each VPN prefix may be onerous and undesirable, but there is no specific mechanism in BGP-4, as yet, to advertise anything other than NLRI. In the case where this is done on an MPLS network, then the advertisement would carry each VPN prefix, together with the MPLS label(s) to be used to Gleeson et al. [Page 45] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 send packets to that stub link. As noted above, these labels, as a purely local matter, could identify either the route to each stub link, or only to the edge router itself, which would then use its own forwarding mechanisms for egress packets. Since there is already defined a particular mechanism for carrying MPLS labels in BGP-4 using the Multiprotocol Extensions field [Rekhter3], this would suggest that this mechanism should be generalized for the purpose also of conveying VPN information; hence it is proposed that that Draft be amended for this purpose. The use of BGP-4 for VPN piggybacking is more complex in cases where this is done on non-MPLS networks. In such a case, the piggybacked advertisements must allow for the explicit identification of the source of the advertisement. This is important for tunnel set up in non-MPLS networks, where each edge router needs to know the identity (i.e. IP address) of each of the other edge routers, in order to initiate whatever signaling mechanism may be used for tunnel set-up. At present there is no means by which the original source of a BGP advertisement can be identified once that advertisement is redistributed (e.g. from an intra-AS protocol like OSPF into BGP at a border node, or from an edge router through a border router for distribution outside the original AS). Since VPN support in non-MPLS networks is an important requirement, it is proposed that whatever BGP-4 mechanism is chosen for the purpose of VPN advertisements also be amended to allow for explicit tagging with the IP address of the original source of the advertisement. One possible means by which this could be done may be to associate the VPN ID (coded as a Community Attribute) with the /32 prefix (i.e. IP address) of the edge router supporting the VPN. This issue is for further study. Note that in the case where BGP advertisements are propagated across AS boundaries, then each border router must cache the full set of prefixes and associated label stacks of each advertised VPN. In such a case, further work is also needed to control scoping of BGP piggybacked advertisements. In particular, at AS boundaries, border routers would generally need to be manually configured with VPN route advertisement policies to determine whether such advertisements should be propagated, and, if so, to which peer ASs. In general ASs will also likely automatically reject VPN advertisements received from peer ASs unless specifically configured to pass them. Some administrative mechanism (e.g. manual procedures or some form of directory communication, for instance) would be needed for this purpose. Note also that such scoping policy configurations would be needed not only in each border router of each AS with one or more VPN termination points, but also in each AS in the transit path between them. This last may pose problems if the trust system includes the terminating ASs, but excludes one or more of the transit ASs. These problems expose a particular artifact of router piggybacking - while VPN membership and reachability information is relevant only to the particular edge routers concerned, router piggybacking Gleeson et al. [Page 46] INTERNET DRAFT A Framework for IP Based VPNs September, 1998 necessarily requires also the active participation of all intermediate routers that need to process and propagate such advertisements. This may impose significant burdens on the operation and administration of such intermediate routers, as well as compromising the integrity of the VPNs concerned. Gleeson et al. [Page 47]