Internet Draft Network Working Group S. Pegrum Internet Draft D. Jamieson Expiration Date: September 1998 M. Yuen Nortel (Northern Telecom) Ltd. March 1998 VPN Multipoint to Multipoint Tunnel Protocol (VMMT) draft-pegrum-vmmt-00.txt Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast) Abstract For many carrier's, the implementation of Virtual Private Network (VPN) services using current IP Tunneling technology is problematic because of onerous configuration requirements. The VMMT is an protocol for the dynammic distribution of VPN information throughout a shared network, and the automatic formation of multi-point to multi-point tunnels between VPN routers. The method described in this internet draft is intended for single AS where the AS administrator is a trusted third party. Traffic seperation is maintained between VPNs. Table of Contents 1 Introduction ............................................ 2 1.1 Terminology ............................................. 2 2 Address Assignment ...................................... 2 3 Routing Updates ......................................... 3 4 Message Formats ......................................... 4 5 VPN Configuration Information Distribution .............. 6 Pegrum, et. al. Internet Draft [Page 1] RFC NNNN VMMT Protocol March 1998 5.1 Multicast Enabled Shared Networks ....................... 6 5.2 Non-Multicast Enabled Shared Networks ................... 6 6 Summary ................................................. 6 7 Security Considerations ................................. 7 8 Referneces .............................................. 7 9 Author's Address ........................................ 7 1. Introduction For the purposes of this document, a VPN shall be considered to consist of a grouping of private routers that use a shared tunneled backbone. Multiple VPNs use the shared backbone. Private routers that are members of the same VPN form a peer group. The members of the peer group communicate with each other over a logical shared broadcast medium which is actually the tunnelled backbone simulating a shared broadcast medium for each VPN peer group. In common tunnel implementations, tunnels are point to point connections where the endpoints are statically configured by the network operator. The VMMT protocol dynamically distributes connection information (tunnel endpoints) between VPN peers throughout a shared network, to allow dynamic establishment of a tunnel. The VPN connection information could include multi-cast information allowing the establishment of multi-point to multi-point tunnels. Each VPN peer (router) belonging to a VPN is identified by a 32 bit VPN identifier (VPNID) that is unique in the shared network, but common to all routers belonging to the VPN. 2. Address Assignment Each VPN peer would have assigned to it one shared IP address and multiple private IP addresses. The shared IP address is used as the source address in all tunnel IP headers. There is also, optionally, a shared IP multi-cast group address which is used to send VPN multicast or broadcast packets to VPN peers . It also has one private address for each interface into the private network, and one for the interface into the shared network. The private IP address for the interface into the shared network will have the same IP subnet value as all VPN peers. 3. Routing Updates Pegrum, et. al. Internet Draft [Page 2] RFC NNNN VMMT Protocol March 1998 No routing information is exchange between the shared and private networks. Routing updates from the shared network are blocked and not transmitted into the private networks. Conversely, private network updates, even though they are tunnelled across the shared network, are not transmitted into the shared network. Pegrum, et. al. Internet Draft [Page 3] RFC NNNN VMMT Protocol March 1998 4. Message Formats The message formats follow standard ICMP type messages. The IP Header is not shown in the diagrams below. VPN ICMP Solicitation Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num Addrs | Addr Entry Size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | VPN Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Shared Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Private Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | IP Header Addresses: Destination Address: Shared Network IP Address Source Address: Shared Network IP Address ICMP Fields: Type: VPN Solicitation Type Code: 0 Checksum: 16 bit one's complement of entire message Num VPNs: Number of VPNs contained in this message Addr Entry: Size of message in 32 bit words Pegrum, et. al. Internet Draft [Page 4] RFC NNNN VMMT Protocol March 1998 VPN ICMP Advertisement Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num Addrs | Addr Entry Size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | VPN Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Shared Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Private Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Shared Network IP Fields: Destination Address: Shared Network IP Address Source Address: Shared Network IP Address ICMP Fields: Type: VPN Solicitation Type Code: 0 Checksum: 16 bit one's complement of entire message Num VPNs: Number of VPNs contained in this message Addr Entry: Size of message in 32 bit words Pegrum, et. al. Internet Draft [Page 5] RFC NNNN VMMT Protocol March 1998 5. VPN Configuration Information Distribution 5.1 Multicast Enabled Shared Networks Each VPN peer is required to join the multicast group that is provisioned for its associated VPN. After joining the multicast group, the VPN peer then executes an ICMP Router Discovery [1] like protocol on that multicast group. These messages are a combination of VPN discovery and address resolution. The VPN discovery is meant to be a security measure to ensure that all routers belonging to this multi-cast group belong to the same VPN. This is intended to guard against configuration errors only. It is assumed that the shared network is secure. New VPN peers joining the multi-cast group immediately issue a VPN ICMP Router Solicitation message to trigger advertisements from other routers on the VPN. This provides immediate configuration feedback to the network operator upon switch reconfiguration, by allowing the VPN peer to compare the VPNID advertised with it's own. In addition, each switch periodically issues a VPN Router Advertisement Message to ensure that the VPN integrity is maintained. The default period for Advertisement Messages is every 10 minutes but the network operator can configure the advertisement rate as appropriate for the network. The VPN peers are now able to communicate with one another through standard routing protocols. VPN broadcast messages traverse shared network as a multicast address so that only entities belonging to that VPN see those messages. ARP entries on VPN peers are refreshed when processing the VPN ICMP Advertisement messages received from other peers. The private address resolves into a shared network unicast address. Unicast VPN messages traverse the shared network as unicast tunnelled messages. 5.2 Non-Multicast Enabled Shared Networks The VMMT distribution mechanism is the same as in the multi-cast enabled case except that the shared destination address is a broadcast address instead of a multicast group address. 6. Summary VMMT addresses several problems: - Dynamic VPN endpoint configuration - Multi-point to Multi-point tunnels. - Security against network operator misconfiguration - Ensures network isolation Pegrum, et. al. Internet Draft [Page 6] RFC NNNN VMMT Protocol March 1998 The VMMT protocol allows for scalable VPN solutions using a common shared infrastructure. 7. Security Considerations This protocol requires the shared network to be secure and trusted. 8. References [1] S. Deering, Editor, "ICMP Router Discovery Messages", RFC 1256, Xerox PARC, September 1991 [2] S. Hanks et al., "Generic Router Encapsulation", RFC 1701, NetSmiths Ltd & Cisco Systems, October 1994 9. Author's Address Scott Pegrum Nortel (Northern Telecom), Ltd. PO Box 3511 Station C Ottawa ON K1Y 4H7 Canada EMail: spegrum@Nortel.ca Dwieght Jamieson Nortel (Northern Telecom), Ltd. PO Box 3511 Station C Ottawa ON K1Y 4H7 Canada EMail: djamies@Nortel.ca Matthew Yuen Nortel (Northern Telecom), Ltd. PO Box 3511 Station C Ottawa ON K1Y 4H7 Canada EMail: myuen@Nortel.ca Pegrum, et. al. Internet Draft [Page 7] -------------------------------------------------------------------------- Scott Pegrum Nortel Enterprise Networks Phone: (613) 763-2693 Fax: (613) 765-2186 email: spegrum@nortel.ca