Internet Draft
Network Working Group Hamid Ould-Brahim
Internet Draft Gregory Wright
draft-ouldbrahim-bgp-vpn-00.txt Bryan Gleeson
Expiration Date: January 2001 Nortel Networks
July 2000
BGP/VPN:
VPN Information Discovery for
Network-based VPNs
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [RFC-2026].
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet- Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
VPN information can be piggybacked into BGP to allow a network-based
VPN to auto-discover its membership and adequate information needed
before any data exchange between private sites takes place across
the backbone. Other drafts (e.g.[VPN-RFC2547]) also piggyback VPN
information onto the backbone instance of BGP. However, [VPN-
RFC2547] implicitly allows only for a single reachability mechanism
(also BGP piggybacking) and a single tunneling mechanism (MPLS).
This draft allows for the explicit indication of the reachability
modes supported (e.g. piggybacking or virtual router) and the
tunneling mechanisms supported, by a VPN device. The purpose of this
Ould-Brahim, et. al [Page 1]
�Internet-Draft BGP/VPN: VPN Information Discovery January 2001
draft is to define a common VPN information protocol that can be
used for both piggybacking and virtual router schemes. It allows for
the auto-discovery of the nodes in a particular VPN, the selection
of the reachability mechanism to use, and the selection of the
tunneling protocol to use.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC-2119.
1. Introduction
VPN information can be piggybacked into BGP to allow a network-based
VPN to auto-discover its membership and adequate information needed
before any data exchange between private sites takes place across
the backbone. Other drafts (e.g.[VPN-RFC2547]) also piggyback VPN
information onto the backbone instance of BGP. However [VPN-RFC2547]
draft implicitly allows only for a single reachability mechanism
(also BGP piggybacking) and a single tunneling mechanism (MPLS).
This draft allows for the explicit indication of the reachability
mechanisms supported (e.g. piggybacking or virtual router) and the
tunneling mechanisms supported, by a VPN device. The purpose of this
draft is to define a common VPN information protocol that can be
used for both piggybacking and virtual router schemes. It allows for
the auto-discovery of the nodes in a particular VPN, the selection
of the reachability mechanism to use, and the selection of the
tunneling protocol to use.
BGP is used to carry different type of VPN information (e.g., the
list of VPN identifiers, the tunnel mechanisms, the VPN reachability
information). The BGP UPDATE message carrying the VPN information
will include, the set of VPN identifiers associated with each edge
router, and adequate information to allow other edge routers to
learn relevant VPN information. The edge routers would examine
received VPN information and determine if any contained information
was relevant to a supported (i.e., configured) VPN. The proposed VPN
extensions allow different VPN topologies to be constructed (hub and
spoke, a full mesh VPN, and arbitrary topologies).
2. Reachability Distribution Schemes
There are two different schemes for distributing VPN reachability
information, the virtual router and the piggybacking reachability
schemes. In the VR model [VPN-VR], each VR in the VPN domain is
running an instance of routing protocol responsible to disseminate
VPN reachability information between VRs. Therefore, VPN
reachability is carried out by a per-VPN instance of routing. In the
reachability piggybacking model the VPN network layer is terminated
at the edge of the backbone, and a backbone routing protocol (i.e.
Ould-Brahim, et al. July 2000 [Page 2]
�Internet-Draft BGP/VPN: VPN Information Discovery January 2001
BGP-4) is responsible for disseminating the VPN reachability
information between provider edge routers (PE) for all the VPNs
configured on the PE.
3. Network Based VPNs Reference Model
The network based VPNs reference model addressed in this draft is
illustrated in figure 1.
PE PE
+--------------+ +--------------+
+--------+ | +----------+ | | +----------+ | +--------+
| VPN-A | | | VPN-A | | | | VPN-A | | | VPN-A |
| Sites |--| |Database /| | BGP peers | | Database/| |-| sites |
+--------+ | |Processing| |<---------->| |Processing| | +--------+
| +----------+ | | +----------+ |
| | | |
+--------+ | +----------+ | | +----------+ | +--------+
| VPN-B | | | VPN-B | | -------- | | VPN-B | | | VPN-B |
| Sites |--| |Database /| |-(Backbone)-| | Database/| |-| sites |
+--------+ | |Processing| | -------- | |Processing| | +--------+
| +----------+ | | +----------+ |
| | | |
+--------+ | +----------+ | | +----------+ | +--------+
| VPN-C | | | VPN-C | | | | VPN-C | | | VPN-C |
| Sites |--| |Database /| | | | Database/| |-| sites |
+--------+ | |Processing| | | |Processing| | +--------+
| +----------+ | | +----------+ |
+--------------+ +--------------+
Figure 1: Network based VPN Reference Model
It is assumed that BGP peers are configured over each backbone where
the PE is attached. Each PE can store, and process information for
multiple VPNs.
4. Carrying VPN information in BGP
BGP-4 multiprotocol extension attributes can be used to carry
various information about VPNs. Other possible alternative is to
use new BGP attributes specifically for carrying VPN information (as
long as the VPN information entries are explicitly identified).
SAFI value of 129 indicates that the information carried in the NLRI
field is a VPN information.
Ould-Brahim, et al. July 2000 [Page 3]
�Internet-Draft BGP/VPN: VPN Information Discovery January 2001
5. NLRI encoding
To support VPN information in the NLRI, the Network Layer
Reachability information in the MP_REACH_NLRI is encoded are
described below:
+---------------------------------------------------------+
| Length of the NLRI (2 octets) |
+---------------------------------------------------------+
| Number of VPN-IDs (2 octets) |
+---------------------------------------------------------+
| First VPN-ID (7 octets) |
+---------------------------------------------------------+
| Second VPN-ID (7 octets) |
+---------------------------------------------------------+
.....
+---------------------------------------------------------+
| N-th VPN-ID (7 octets) |
+---------------------------------------------------------+
| VPN Topology Attribute (2 octets) |
+---------------------------------------------------------+
| VPN Reachability Mode (1 octets) |
+---------------------------------------------------------+
| Length of VPN Reachability Entries (2 octets) |
+---------------------------------------------------------+
| First VPN Reachability Entry (variable) |
+---------------------------------------------------------+
| Second VPN Reachability Entry (variable) |
+---------------------------------------------------------+
.....
+---------------------------------------------------------+
| N-th VPN Reachability Entry (variable) |
+---------------------------------------------------------+
| Length of VPN Tunnel Entries (2 octets) |
+---------------------------------------------------------+
| First VPN Tunnel Entry (variable) |
+---------------------------------------------------------+
| Second VPN Tunnel Entry (variable) |
+---------------------------------------------------------+
.....
+---------------------------------------------------------+
| N-th VPN Tunnel Entry (variable) |
+---------------------------------------------------------+
| Other VPN information (variable) |
+---------------------------------------------------------+
Figure 2. VPN Information within the NLRI field
The use and the meaning of these fields are as follows:
Ould-Brahim, et al. July 2000 [Page 4]
�Internet-Draft BGP/VPN: VPN Information Discovery January 2001
a) Length of the NLRI:
The Length field indicates the length in bits of the NLRI
tuple.
b) Number of VPN-IDs (2 octets):
The number of VPN-IDs carried in this NLRI.
c) VPN-ID field:
The VPN-ID format is defined in RFC2685:
VPN OUI: Identifies VPN Authority (3 octets)
VPN Index: Identifies a VPN within the Authority (4 octets)
d) VPN Topology Attribute
Two octets field used to indicate the nature of
VPN topology.
e) VPN Reachability Mode: A one octet number describing the
reachability mode related to the VPN model used.
f) Length of VPN Reachability Entries: The Length of VPN
entries contains the length (in octets) of the VPN
reachability entries.
g) Length of VPN Tunnel Entries: contains the
length (in octets) of the VPN tunnel entries.
h) Other VPN information: will be used for passing specific
VPN information. This field is optional.
5.1 VPN Membership Discovery using VPN-ID
The IETF [VPN-RFC2685] and the ATM Forum [VPN-ATM] have standardized
on a single format for a globally unique identifier used to identify
a VPN - a VPN-ID. Only the format of the VPN-ID has been defined,
not its semantics or usage. The aim is to allow its use for a wide
variety of purposes, and to allow the same identifier to be used
with different technologies and mechanisms. For example a VPN-ID
can be bound to a tunnel. All packets that traverse the tunnel are
then implicitly associated with the identified VPN.
The same identifier can be used to identify the VPN across different
technologies. Also if a VPN spans multiple administrative domains
the same identifier can be used everywhere.
Ould-Brahim, et al. July 2000 [Page 5]
�Internet-Draft BGP/VPN: VPN Information Discovery January 2001
5.2 VPN Reachability Discovery
BGP can also be used to carry VPN reachability information. Indeed,
once an edge router has determined/learnt the set of prefixes
associated with each of attached VPNs, then this information is
disseminated to each other edge router in the network.
The VPN reachability entry is described as follows:
+--------------------------------------------------------------+
| VPN Reachability Type (2 octets) |
+--------------------------------------------------------------+
| Length (1 octets) |
+--------------------------------------------------------------+
| VPN Reachability Value Field (variable) |
+--------------------------------------------------------------+
Figure 3. VPN Reachability Entry
The use and the meaning of these fields are as follows:
a) VPN Reachability type: is the type of the VPN reachability
information.
b) Length: The length field indicates the length in bits
of the VPN reachability value.
c) VPN Reachability value field: contains the actual VPN route.
5.3 Tunnel Mechanisms Discovery
Network-based VPNs must be implemented through some form of
tunneling mechanism, where the packet formats and/or the addressing
used within the VPN can be unrelated to that used to route the
tunneled packets across the backbone [VPN-RFC2764]. There are
numerous tunneling mechanisms that can be used by a network based
VPN (e.g., IP/IP [RFC-2003], GRE tunnels [RFC-1701], IPSec [RFC-
2401], and MPLS tunnels [MPLS-ARCH]). Each of these tunnels allows
for opaque transport of frames as packet payload across the
backbone, with forwarding disjoint from the address fields of the
encapsulated packets [VPN-RFC2764].
A tunnel connecting two endpoints is a basic building block
from which a variety of different VPN services can be constructed.
A tunnel operates as an overlay across the backbone, and the
traffic sent through the tunnel is opaque to the underlying
backbone. A provider edge router may terminate multiple type of
tunnels and forward packets between these tunnels and other network
interfaces in different ways.
Ould-Brahim, et al. July 2000 [Page 6]
�Internet-Draft BGP/VPN: VPN Information Discovery January 2001
BGP can be used to inform the other edge routers of the nature of
the tunnel mechanism used (e.g., MPLS, IPSec, etc.) with adequate
information about the actual tunnel endpoints.
The tunnel entries are described as below:
+--------------------------------------------------------------+
| Tunnel Type Field (2 octets) |
+--------------------------------------------------------------+
| Length (1 octets) |
+--------------------------------------------------------------+
| Tunnel Value Field (variable) |
+--------------------------------------------------------------+
Figure 4. VPN Tunnel Entry
The use and the meaning of all the fields described above are:
a) Tunnel Type field: Defines the type of tunneling
mechanism (IPSec, IP in IP, MPLS, GRE, etc.).
b) Length: length in bits of the Tunnel value.
c) Tunnel Value Field: This field of variable size contains
information about the tunnel endpoint values.
6. VPN Topology Information
The proposed extensions allow different types of VPN topologies to
be constructed. As an example, a hub and spoke VPN topology or an
arbitrary topology can be constructed using different codes assigned
to the topology attribute field.
7. Multiprotocol Unreachable NLRI for VPN:
MP_UNREACH_NLRI can be used with a SAFI value of 129 for the
purpose of withdrawing multiple unfeasible VPN NLRIs from service.
8. Use of BGP Capability Advertisement
A BGP speaker that uses VPN information as described in this
document with multiprotocol extensions should use the Capability
Advertisement procedures to determine whether the speaker could use
Multiprotocol Extensions with a particular peer.
Ould-Brahim, et al. July 2000 [Page 7]
�Internet-Draft BGP/VPN: VPN Information Discovery January 2001
The Capability Code field is set to 1 (which indicates Multiprotocol
Extensions capabilities). The SAFI field is 129 for VPN information.
9. Security Considerations
The VPN extensions described in this draft do not change the
underlying security issues.
10. References
[BGP-COMM] Ramachandra, Tappan, "BGP Extended Communities
Attribute", February 2000, work in progress
[BGP-MP] Bates, Chandra, Katz, and Rekhter, "Multiprotocol
Extensions for BGP4", February 1998, RFC 2283
[BGP-MPLS] Rekhter Y, Rosen E., "Carrying Label Information in
BGP4", January 2000, work in progress
[BGP-RR] Bates and Chandrasekaran, "BGP Route Reflection: An
alternative to full mesh IBGP", RFC 2796, April 2000
[MPLS-ARCH] Rosen, Viswanathan, and Callon, "Multiprotocol Label
Switching Architecture", August 1999, work in progress
[MPLS-ENCAPS] Rosen, Rekhter, Tappan, Farinacci, Fedorkow, Li, and
Conta, "MPLS Label Stack Encoding", October 1999,work in progress
[MPLS-LDP] Andersson, Doolan, Feldman, Fredette, Thomas, "LDP
Specification", October 1999, work in progress
[RFC-1701] Hanks, S., Li, T., Farinacci, D. and P. Traina, "Generic
Routing Encapsulation (GRE)", RFC 1701, October 1994.
[RFC-2003] Perkins, C., "IP Encapsulation within IP", RFC 2003,
October 1996.
[RFC-2026] Bradner, S., "The Internet Standards Process -- Revision
3", RFC2026, October 1996.
[RFC-2401] Kent S., Atkinson R., "Security Architecture for the
Internet Protocol", RFC2401, November 1998.
[RFC-2411] Thayer, R., et al, "IP Security Document Roadmap", RFC
2411, November 1998.
[RFC-2661] Townsley, W., et al, "Layer Two Tunneling Protocol L2TP",
RFC2661, August 1999.
Ould-Brahim, et al. July 2000 [Page 8]
�Internet-Draft BGP/VPN: VPN Information Discovery January 2001
[RFC-2685] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[VPN-ATM] Petri, B. (editor) "MPOA v1.1 Addendum on VPN support",
ATM Forum, af-mpoa-0129.000.
[VPN-ITU] "Draft Recommendation Y.IPVPN", Study Group 13, Q20/13,
May 2000.
[VPN-RFC2547] Rosen E., et al, "BGP/MPLS VPNs", work in progress.
[VPN-RFC2685] Fox B., et al, "Virtual Private Networks Identifier",
RFC 2685, September 1999.
[VPN-RFC2764] Gleeson, B., et al., "A Framework for IP Based Virtual
Private Networks", RFC 2764, February 2000.
[VPN-VR] Ould-Brahim H., et al., "Network based IP VPN Architecture
using Virtual Routers", work in progress.
11. Intellectual Property Consideration
The IETF has been notified of intellectual property rights claimed
in regard to some or all of the specification contained in this
document. For more information consult the online list of claimed
rights.
12. Acknowledgments
The authors would like to acknowledge the following individuals for
their helpful comments and suggestions: Bilel Jamoussi, Don Fedyk,
and Ahmad Khalid from Nortel Networks.
13. Author's Addresses
Hamid Ould-Brahim
Nortel Networks
P O Box 3511 Station C
Ottawa, ON K1Y 4H7
Canada
Phone: +1 (613) 765 3418
Ould-Brahim, et al. July 2000 [Page 9]
� BGP/VPN: VPN Information Discovery January 2001
Gregory Wright
Nortel Networks
P O Box 3511 Station C
Ottawa, ON K1Y 4H7
Canada
Phone: +1 (613) 765 7912
Email: gwright@nortelnetworks.com
Bryan Gleeson
Nortel Networks
2305 Mission College Blvd
Santa Clara CA 95054
USA
Phone: +1 (505) 565 2625
Email: bgleeson@shastanets.com
Ould-Brahim, et al. July 2000 [Page 10]
� BGP/VPN: VPN Information Discovery January 2001
Full Copyright Statement
Copyright (C) The Internet Society (date). All Rights Reserved. This
document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
Ould-Brahim, et al. July 2000 [Page 11]
�