Internet Draft
Network Working Group Hamid Ould-Brahim
Internet Draft Bryan Gleeson
draft-ouldbrahim-vpn-vr-01.txt Gregory Wright
Expiration Date: January 2001 Nortel Networks
Timon Sloane
N.E.T
Rainer Bach
T-Data
Rick Bubenik
SAVVIS Communications
Abraham Young
Huawei Technologies
July 2000
Network based IP VPN Architecture
using Virtual Routers
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [RFC-2026].
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet- Drafts as
reference material or to cite them other than as "work in progress."
Ould-Brahim, et. al [Page 1]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This draft describes a network based VPN architecture using virtual
routers. The VPN service is built based on the virtual router (VR)
concept, which has exactly the same mechanisms as a physical router,
and therefore inherits all existing mechanisms and tools for
configuration, operation, accounting, and maintenance. Within a VPN
domain, an instance of routing is used to distribute VPN
reachability information among VR routers. Any routing protocol can
be used, and no VPN-related modifications or extensions are needed
to the routing protocol for achieving VPN reachability. Virtual
routers can be deployed in different VPN configurations, direct VR
to VR connectivity through layer-2 or by aggregating multiple VRs
into a single VR combined with IP or MPLS based tunnels. This
architecture accommodates different backbone deployment scenarios,
e.g. where the service provider owns their own backbone, and where
the service provider obtains backbone service from one or more other
service providers.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC-2119.
Table of Contents
1 Introduction ........................................ 3
2 Requirements ........................................ 4
3 Network Reference Model .............................. 5
3.1 The Backbone ........................................ 5
4 Virtual Router Definition ............................ 5
5 How VPNs are built and deployed using VRs?............ 6
5.1 VR to VR Connectivity over layer-2 Connections........ 6
5.2 Virtual Router Backbone Aggregation .................. 7
5.2.1 Relationship between the VRs and the Backbone VR ..... 8
5.2.2 Multiple Backbones connected to a single PE .......... 8
6 VPN Topology and Membership Discovery ................ 9
7 Operations and Management ............................ 10
7.1 Backbone Migration ................................... 10
7.2 Troubleshooting ...................................... 10
Ould-Brahim, et al. July 2000 [Page 2]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
8 Quality of Service ................................... 11
9 Scalability .......................................... 11
10 Security Considerations .............................. 11
11 References............................................ 11
11 Acknowledgments ..................................... 12
12 Authors' Addresses .................................. 12
14 Full Copyright Statement ............................ 14
1. Introduction
Several solutions have been put forward to achieve different levels
of network privacy when building VPNs across a shared backbone. Most
of these solutions require separate per VPN forwarding capabilities
and make use of IP or MPLS based tunnels across the backbone [VPN-
VR], [VPN-CORE], and [VPN-RFC2547].
This document describes a network based VPN architecture using
virtual routers. The architecture complies with the IP VPN framework
described in [VPN-RFC2764]. The objective is to provide per VPN
based routing, forwarding, quality of service, and service
management capabilities. The VPN service is built based on the
virtual router concept, which has exactly the same mechanisms as a
physical router, and therefore inherits all existing mechanisms and
tools for configuration, deployment, operation, troubleshooting,
monitoring, and accounting. Virtual routers can be deployed in
different VPN configurations, direct VR to VR connectivity through
layer-2 links/tunnels or by aggregating multiple VRs into a single
VR combined with IP or MPLS based tunnels. This architecture
accommodates different backbone deployment scenarios, e.g. where the
service provider owns their own backbone, and where the service
provider obtains backbone service from one or more other service
providers.
Within a VPN domain, an instance of routing is used to distribute
VPN reachability information among VR routers. Any routing protocol
can be used, and no VPN-related modifications or extensions are
needed to the routing protocol for achieving VPN reachability.
VPN reachability information to and from customer sites can be
dynamically learned from the CE using standard routing protocols or
it can be statically provisioned on the VR. The routing protocol
between the virtual routers and CEs is independent of the routing
used in the VPN backbone. The routing protocol between the VRs maybe
the same or it might be different than the routing mechanism used
between the CE and VR.
There are two fundamental architectures for implementing network
based VPNs, virtual routers (VR) and piggybacking. The main
difference between the two architectures resides in the model used
to achieve VPN reachability and membership functions. In the VR
Ould-Brahim, et al. July 2000 [Page 3]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
model, each VR in the VPN domain is running an instance of routing
protocol responsible to disseminate VPN reachability information
between VRs. Therefore, VPN membership and VPN reachability are
treated as separate functions, and separate mechanisms are used to
implement these functions. VPN reachability is carried out by a per-
VPN instance of routing, and a range of mechanisms is possible for
determining membership (see section 6.0). In the piggyback model the
VPN network layer is terminated at the edge of the backbone, and a
backbone routing protocol (i.e. BGP-4) is responsible for
disseminating the VPN membership and reachability information
between provider edge routers (PE) for all the VPNs configured on
the PE. [VPN-RFC2547bis] is an example of a piggyback VPN
architecture.
2. Requirements
This section lists some requirements addressed by the proposed
architecture:
(a) It should be easy to configure, deploy, operate and
troubleshoot each VPN independently using existing
mechanisms and tools.
(b) The architecture should accommodate different levels of data
and routing security.
(c) The backbone internal nodes must not be VPN aware and will
not keep any VPN state inside the backbone (for scalability
purposes).
(d) It is desirable to support the use of any routing protocol in
the VPN domain and in the backbone.
(e) The architecture must support overlapping VPN address spaces
in separate VPNs.
(f) Quality of service should be configurable per VPN.
(g) The architecture should accommodate different sizes of VPNs,
and one VPN should not impact other VPNs on the PE.
(h) The addition of a new VPN site or the reconfiguration of an
existing VPN site must not impact other VPNs.
(i) The architecture should support direct paths between VPN
sites that bypass the service provider backbone (backdoor
links). Traffic can be directed to the backdoor link, or
injected to the backbone with the flexibility of using both
the backbone access, and the backdoor link as internal or
external paths.
(j) The architecture must work over different deployment
scenarios, e.g. where the service provider owns their own
backbone, and where the service provider obtains backbone
service from one or more other service providers.
(k) The architecture should not be limited to a single tunneling
mechanism.
Ould-Brahim, et al. July 2000 [Page 4]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
3. Network Reference Model
A VPN customer site is connected to the provider backbone by means
of a connection between a CE device, (which can either be a bridge
or a router) and a virtual router. CE devices are preconfigured to
connect to one (or more) VR(s). M ul tiple virtual routers
coexist on the same service provider edge device (PE).
CE devices can be attached to VRs over any type of access link (e.g.
ATM, frame relay, ethernet, PPP or IP tunneling mechanism such as
IPSec, L2TP or GRE tunnels).
+---+ +---+
| P |....| P |
+---+ +---+
PE / \ PE
+----+ +------+ +------+ +---+
| CEs|--|-{VRs}| |{VRs}-|--|CEs|
+----+ +------+ +------+ +---+
\ /
+---+ +---+
| P |....| P |
+---+ +---+
Figure 1: Network Reference Model
CE sites can be statically connected to the provider network via
dedicated circuits, or can use dial-up links. Routing tables
associated with each virtual router define the site-to-site
reachability for each VPN. The internal backbone provider routers
(P) are not VPN aware and do not keep VPN state.
3.1 Backbone
In general the backbone is a shared network infrastructure, which
represents:
(a) A layer-2 ATM or frame relay network.
(b) An IP network.
(c) An MPLS network.
Not all VPNs existing on the same PE are necessarily connected to
the same backbone. The same backbone can be built from multiple
transport technologies.
4. Virtual Router Definition
Ould-Brahim, et al. July 2000 [Page 5]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
A virtual router (VR) is an emulation of a physical router at the
software and hardware levels. Virtual routers have independent IP
routing and forwarding tables and they are isolated from each other.
This means that a VPN's addressing space can overlap with another
VPN's address space. The addresses need only be unique within a VPN
domain.
A virtual router has two main functions:
1. Constructing routing tables describing the paths between VPN
sites using any routing technologies (e.g., static, OSPF, RIP,
or BGP).
2. Forwarding packets to the next hops within the VPN domain.
From the VPN user point of view, a virtual router provides the same
functionality as a physical router. Separate routing, and forwarding
capabilities provide each VPN CE link with the appearance of a
dedicated router that guarantees isolation from other VPN traffic
while running on shared forwarding and transmission resources.
Virtual routers belonging to the same VPN domain must have the same
Virtual Private Network Identifier (VPNID). An example of VPNID
format is described in [VPN-RFC2685]. To the CE access device, the
virtual router appears as a neighbor router in the CE based network,
to which it sends all traffic for non-local VPN destinations. Each
CE access device must learn the set of destinations reachable
through its connection to the virtual router; this may be as simple
as a default route. Virtual routers participating in a single VPN
domain are responsible for learning and disseminating VPN
reachability information among themselves. A given virtual router
holds the routes only for the specific VPNs configured for that VR.
Any routing protocol can be used between the VRs and the CEs.
5. How VPNs are built and deployed using VRs?
Two main VR deployment scenarios can be used for building virtual
private networks:
. VR to VR connectivity over a layer 2 connections.
. Aggregating multiple virtual routers over a single virtual router.
The above VR deployment scenarios can coexist on a single PE and
they are not mutually exclusive.
5.1 VR to VR Connectivity over Layer 2 Connections
As illustrated in figure 2, virtual routers can be deployed over
direct layer-2 frame relay or ATM connections or other layer-2
transport technology.
Ould-Brahim, et al. July 2000 [Page 6]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
PE PE
+---------------+ +---------------+
+-----+ | | | | +-----+
|VPN-A| | +----+ Layer-2 connections +----+ | |VPN-A|
|sites|-|-|VR-A| <--------------------------->|VR-A|-|-|sites|
+-----+ | +----+ | -------- | +----+ | +-----+
| |-( Layer-2)-| |
+-----+ | +----+ | (Backbone) | +----+ | +-----+
|VPN-B|-|-|VR-B| | -------- | |VR-B|-|-|VPN-B|
|sites| | +----+<--------------------|------->+----+ | |sites|
+-----+ | | | | +-----+
+---------------+ +---------------+
Figure 2: VR to VR connectivity over a layer-2 backbone
This type of VR deployment allows direct quality of service
engineering per VPN connection basis. The connections can be
statically configured or dynamically established.
5.2 Virtual Router Backbone Aggregation
Another typical VPN configuration consists of connecting multiple
virtual routers to the backbone through the use of a single virtual
router (figure 3). For easy reference in the following sections
let's call this single virtual router "the backbone virtual router"
or "the backbone VR".
The backbone virtual router is not functionally different than other
virtual routers. It is only a virtual router that is configured and
deployed in a special configuration.
PE PE
+---------------+ +---------------+
+-----+ | | | | +-----+
|VPN-A| | +----+ MPLS/IP based Tunnels +----+ | |VPN-A|
|sites|-|-|VR-A|\<--------------------------->|VR-A|-|-|sites|
+-----+ | +----+ +----+ | -------- | +----+/+----+ | +-----+
| |VR-1|-|-(IP/MPLS )-|-|VR-2| |
+-----+ | +----+/+----+ |(Backbones )| +----+\+----+ | +-----+
|VPN-B|-|-|VR-B| | ---------- | |VR-B|-|-|VPN-B|
|sites| | +----+<-------|-------------------->+----+ | |sites|
+-----+ | MPLS/IP based Tunnels | +-----+
| | | |
+---------------+ +---------------+
Figure 3: VR-1 and VR-2 used as backbone VRs
Ould-Brahim, et al. July 2000 [Page 7]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
The backbone virtual router connects each PE to a shared backbone
infrastructure. Backbone virtual routers can be deployed over ATM,
FR, IP, or MPLS networks. Since the backbone VR allows the
aggregation of VPN VRs, backbone configuration remains unaffected as
new VPN sites are added. The relationship between the VRs and the
backbone VR is an overlay relationship. No routing relationship
exists between the VRs and the backbone VRs.
VPN data and routing information is tunneled through the use of IP
or MPLS based tunnels. Other types of tunneling are not excluded
with this architecture. The tunnels can be statically configured or
dynamically established. The tunnel appears to VRs as a point-to-
point link. Traffic sent through the tunnel, and forwarded by the
backbone VR is opaque to the underlying backbone technology used.
The backbone VR makes it appear as if each VR within a VPN is
directly connected (full and partial mesh configurations supported).
Each VR within the VPN exchanges routing information directly with
the other VRs in the VPN. The backbone VR exchanges routing
information with other backbone entities (P routers and possibly
other backbone VRs).
Virtual routers can run any routing protocol on their local VPN
domain. Both static routes and dynamic routing protocols such as
RIP, OSPF, and BGP-4 can be used. VPN sites exchange routing
information through the tunnels over the backbone.
If a backdoor link is used between private CE based network running
any IGP, then by adjusting the backdoor link costs appropriately,
the backbone link can be favored for forwarding VPN traffic. By
lowering the weight, the backdoor link can be used as a backup link
in case the backbone path fails.
5.2.1 Relationship between the VRs and the Backbone VR
The routing domain of a set of VRs participating in a single VPN has
no relation to the routing domain of the backbone VR. The backbone
VR is not necessarily aware of the routing instances running on each
private virtual router.
5.2.2 Multiple Backbones connected to a single PE
Figure 4 illustrates an example where multiple backbones are
connected to the same PE. This type of configuration can be used
when the PE is connected to multiple service provider backbones, or
when the service provider offers different VPN services for
different type of backbones.
Ould-Brahim, et al. July 2000 [Page 8]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
PE PE
+---------------+ +---------------+
+-----+ | | | | +-----+
|VPN-A| | +----+ | | +----+ | |VPN-A|
|sites|-|-|VR-A|\ | | |VR-A|-|-|sites|
+-----+ | +----+ +----+ | --------- | +----+/+----+ | +-----+
| |VR-1|-|-(Backbones)|-|VR-2| |
+-----+ | +----+/+----+ | ( 1 )| +----+\+----+ | +-----+
|VPN-B|-|-|VR-B| | --------- | |VR-B|-|-|VPN-B|
|sites| | +----+ | | +----+ | |sites|
+-----+ | | | | +-----+
| | | |
+-----+ | | | | +-----+
|VPN-C| | +----+ | | +----+ | |VPN-C|
|sites|-|-|VR-C|\ | | |VR-C|-|-|sites|
+-----+ | +----+ +----+ | -------- | +----+/+----+ | +-----+
| |VR-3|-|-(Backbone)-|-|VR-4| |
+-----+ | +----+/+----+ | ( 2 & 3 ) | +----+\+----+ | +-----+
|VPN-D|-|-|VR-D| | -------- | |VR-D|-|-|VPN-D|
|sites| | +----+ | | +----+ | |sites|
+-----+ | | | | +-----+
+---------------+ +---------------+
Figure 4: Multiple Backbones connected to a single PE
6. VPN Topology and Membership Discovery
The virtual router approach explicitly separates the mechanisms used
for distributing reachability information from mechanisms used for
achieving VPN topology determination. VPN membership information
refers to the set of PEs that have customers in a particular VPN.
VPN topology represents the set of PEs and their interconnectivity.
The topology can be a full-mesh of PEs, a hub and spoke, or anything
in between. Dynamic topology can also be handled due to on-demand
VPN customers.
VPN membership discovery can be achieved through different
mechanisms, for example [VPN-ITU]:
. Directory server approach, which VRs query a server to determine
their neighbors.
. Explicit configuration via a management platform.
. Piggybacking VPN information using existing routing protocols
(e.g., BGP) [VPN-BGP].
The above mechanisms can be combined on a single PE. As an example,
for some VPNs topology discovery is done only through a management
Ould-Brahim, et al. July 2000 [Page 9]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
platform. For others, dynamic topology discovery is achieved using
existing routing protocol [VPN-BGP].
7. Operations and Management
One of the greatest strengths of the VR approach to VPN creation is
that all the existing tools for operating, managing and debugging IP
networks can continue to be used without modification. All the
standard MIBs, such as the forwarding/route table and interface MIBs
are available.
In case of PE failure (e.g. migration, upgrades, etc.), the service
provider may want to control and decide what VPN services gets
reestablished first. This particular point is important when a large
number of VPNs is supported on the PE where each VPN service has
different service availability requirements.
Since each VR operates as an independent router, it is possible for
the management of the VRs to be outsourced. VPN customers may
choose to configure (or perhaps only to monitor) the VRs that make
up their VPN. It is also possible that the backbone VRs could be
managed by a separate entity. Each VR operates independently, and
can be individually reconfigured without effecting other VRs on the
same PE. In some implementations, it may even be possible for a VR
to be "rebooted" by a customer without effecting other VRs.
7.1 Backbone Migration
One benefit in using multiple backbone virtual routers is the
ability for the backbone network administrator to migrate its
backbone from one core technology to another with minimal disruption
to VPN services. Indeed a VPN configuration change or a VPN-software
upgrade is totally transparent to the backbone protocol and policies
(this is due to decoupling the VPN routing protocol from the
provider backbone routing protocol).
7.2 Troubleshooting
The service provider or the VPN customer can use all existing
troubleshooting tools per VPN basis (e.g. ping and traceroute). As
an example a VPN customer can telnet to its own VR and performs some
troubleshooting operations. In this particular case, the service
provider can configure for each VPN customer restricted privileges
over the virtual router associated with the customer VPN network.
However, backbone topology information is completely hidden to the
VPN VR, and therefore to the service provider customer.
Ould-Brahim, et al. July 2000 [Page 10]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
8. Quality of Service
This architecture can utilize different quality of service
mechanisms. QoS mechanisms developed for physical routers can be
used with VRs, on a per-VR basis. e.g. classification, policing,
drop policies, traffic shaping and scheduling/bandwidth reservation.
The architecture allows separate quality of service engineering of
the VPNs and the backbone.
9. Scalability
Only the PEs are handling the VPN type information. The internal
backbone routers (the P routers) are not VPN aware. Furthermore,
virtual routers allow multiple privates CE based networks to connect
to a single PE.
One advantage of the ability to contain the VPN address space and
VPN routing and forwarding capabilities within the virtual router
entity is the possibility to distribute PE system resources per VPN
basis. Indeed, as an example, different scheduling mechanisms can be
used for processing each VPN activity within the PE. This type of
per VPN resource management contributes in establishing a wide range
of priority schemes among VPNs within the PE.
10. Security Considerations
Different levels of data, routing and configuration security can be
implemented. Any existing security related mechanisms supported by
existing routing protocols (e.g. authentication) can be used
unmodified in the VR architecture. If IPSec tunneling is used as the
tunneling protocol, then both the control and data traffic that
travels over the tunnel can be secured; so that routing specific
security enhancements are not needed. Any private routing,
forwarding and addressing manipulation are done within the virtual
router context. Direct layer-2 connections (ATM, FR), or specific
tunneling mechanisms can also provide different levels of data
security.
11. References
[GRE-RFC1701] Hanks, S., Li, T., Farinacci, D. and P. Traina,
"Generic Routing Encapsulation (GRE)", RFC 1701, October 1994.
[CR-LDP] Jamoussi, B., et al, "Constraint-based LSP Setup using
LDP", Work in Progress.
[RFC-2003] Perkins, C., "IP Encapsulation within IP", RFC 2003,
October 1996.
Ould-Brahim, et al. July 2000 [Page 11]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
[RFC-2026] Bradner, S., "The Internet Standards Process -- Revision
3", RFC 2026, October 1996.
[RFC-2401] Kent S., Atkinson R., "Security Architecture for the
Internet Protocol", RFC2401, November 1998.
[RFC-2411] Thayer, R., et al, "IP Security Document Roadmap", RFC
2411, November 1998.
[RFC-2661] Townsley, W., et al, "Layer Two Tunneling Protocol L2TP",
RFC2661, August 1999.
[RFC-2685] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[VPN-CORE] Muthukrishnan, K., Malis, A., "Core MPLS IP VPN
Architecture", Work in Progress
[VPN-BGP] Ould-Brahim, H., et al., "BGP/VPN: VPN Information
Discovery for network based VPNs", work in progress, July 2000.
[VPN-INW] Sumimoto, J., et al, "MPLS VPN Interworking", Work in
Progress.
[VPN-ITU] "Draft Recommendation Y.IPVPN", Study Group 13, Q20/13,
May 2000.
[VPN-RFC2547bis] Rosen E., et al, "BGP/MPLS VPNs", work in progress.
[VPN-RFC2685] Fox B., et al, "Virtual Private Networks Identifier",
RFC 2685, September 1999.
[VPN-RFC2764] Gleeson, B., et al., "A Framework for IP Based Virtual
Private Networks", RFC 2764, February 2000.
12. Acknowledgments
The authors would like to acknowledge the following individuals for
their helpful comments and suggestions: Bilel Jamoussi, David
Hudson, David Drynan, Ru Wadasinghe, Peter Ashwood-Smith, Can Aysan,
Martin Pepin, Ahmad Khalid, John Luetchford, and Don Fedyk.
13. Author's Addresses
Ould-Brahim, et al. July 2000 [Page 12]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
Hamid Ould-Brahim Bryan Gleeson
Nortel Networks Nortel Networks
P O Box 3511 Station C 2305 Mission College Blvd
Ottawa, ON K1Y 4H7 Santa Clara CA 95054
Canada USA
Phone: +1 (613) 765 3418 Phone: +1 (408) 565 2625
Email: hbrahim@nortelnetworks.com Email:bgleeson@shastanets.com
Gregory Wright Timon Sloane
Nortel Networks N.E.T
P O Box 3511 Station C 6500 PASEO Padre Parkway
Ottawa, ON K1Y 4H7 Fremont, CA 94555
Canada USA
Phone: +1 (613) 765 7912 Phone: +1 (510) 574 2477
Email: gwright@nortelnetworks.com Email:timon_sloane@net.com
Rainer Bach Rick Bubenik,
T-Data SAVVIS Communications
Hans-Guenther-Sohl-Strasse7 717 Office Parkway
40235, Duesseldorf St. Louis, Mo. 63141
Germany USA
Phone: 49 211 694 2420 Phone: +1 (314) 468-7021
Email: Rainer.Bach@telekom.de rickb@savvis.net
Abraham Young
HUAWEI Technologies Co., LTD.
Kefa Road
Science-Based Industrial Park
Nanshan District, Shenzhen 518057
China
Phone: +86-755-6543662
Email: abyoung@huawei.com.cn
Ould-Brahim, et al. July 2000 [Page 13]
�Internet-Draft draft-ouldbrahim-vpn-vr-01.txt January 2001
Full Copyright Statement
"Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
removing the copyright notice or references to the Internet Society
or other Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Ould-Brahim, et al. July 2000 [Page 14]
�