One document matched: draft-raggarwa-ppvpn-tunnel-encap-sig-00.txt
Network Working Group Rahul Aggarwal
Internet Draft Redback Networks
Expiration Date: August 2003
Robert Raszuk
Francois Le Faucheur
Cisco Systems, Inc.
Cristallo Geoffrey
Jeremy De Clercq
Alcatel
Signaling Tunnel Encapsulation/Deencapsulation Capabilities
draft-raggarwa-ppvpn-tunnel-encap-sig-00.txt
1. Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026, except that the right to
produce derivative works is not granted.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
1. Abstract
This document proposes a lightweight mechanism for signaling a PE
router's tunnel encapsulation capabilities. One example is its
capability to encapsulate MPLS using dynamic GRE and/or IP. This is
applicable when a MPLS packet is tunneled using dynamic GRE and/or
IP encapsulation [MPLS-IP-GRE] between PE routers. For instance the
draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt [Page 1]
Internet Draft draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt February 2003
MPLS packet may be a 2547 based MPLS VPN packet [2547bis], a layer 2
packet transported using MPLS [MARTINI], a MPLS tunneled IPv6 packet
or a MPLS IPv6 VPN packet [BGP-VPN-IPv6]. Adding such a mechanism has
several benefits. It helps in blackhole avoidance and eases
transitioning from MPLS tunneling based Layer 3/Layer 2 VPNs to GRE/IP
tunneling based Layer 3/Layer 2 VPNs (and vice versa). Such a mechanism
is needed where a network may be using MPLS and GRE (or IP) for
tunneling, simultaneously in different parts of the network. It can
help in encapsulation selection when multiple tunneling technologies
are supported. It can also be used to facilitate the use of security
mechanisms in the network backbone.
2. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Summary for Sub-IP Area
3.1. Related documents
See the Reference Section
3.2. Where does it fit in the Picture of the Sub-IP Work
This work fits in the PPVPN WG.
3.3. Why is it Targeted at this WG
[2547bis] is a product of the PPVPN WG. This document specifies a
mechanism that proposes a lightweight mechanism for signaling a PE
router's capability to encapsulate MPLS using dynamic GRE and/or IP.
This is applicable when a 2547 based MPLS VPN packet is tunneled
using a dynamic GRE and/or IP encapsulation [MPLS-IP-GRE] between
PE routers. Since the procedures described in this document are
directly related to [2547bis], it would be logical to target
this document at the PPVN WG.
4. Mechanism
Mutliple applications such as 2547 VPNs, Layer 2 VPNs, point to point
Layer 2 transport over MPLS, IPv6 over IPv4 MPLS or IPv6 VPN over MPLS
may use dynamic GRE or IP encapsulation for tunneling traffic across a
network backbone. This document uses the term 'soft GRE' to refer to
dynamic GRE encapsulation. If a PE router is using soft GRE or IP
encapsulation for tunneling traffic for one or more of these
draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt [Page 2]
Internet Draft draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt February 2003
applications, across the backbone, it is not possible currently for it
to dynamically learn the encapsulation capability of the remote PE
router. In the context of 2547 based VPNs this PE router does not know
the MPLS in soft GRE or MPLS in IP encapsulation capability of the BGP
next-hop to which the traffic is destined. This document proposes a
simple signaling mechanism by way of which this PE router can learn the
MPLS in soft GRE or MPLS in IP encaspulation capability of the remote
PE routers. This is achieved by propagating this information in BGP or
in LDP.
4.1 BGP Extension
We define a BGP opaque extended community that can be attached to a BGP
NLRI advertisement to indicate the MPLS or other encapsulation
capabilities of such a NLRI. It is referred to as the Tunnel
Encapsulation Capabilities extended community. It is non-transitive
across the Autonomous System boundary. It should not be propagated by
EBGP when the next hop associated with the NLRI is changed. However in
certain cases it may be desirable to propagate this extended community
in EBGP if the next hop is unchanged.
As a note since the extended community attribute itself is optional and
transitive, a BGP speaker that does not understand an extended community
attribute will set the partial bit in the attribute. Hence a BGP peer
that understands the Tunnel Encapsulation Capabilities extended
community may not use this extended community if it is received as part
of an extended community attribute that has the partial bit set. This
is because the next hop may have been changed by a router that did not
understand the extended community attribute.
The Tunnel Encapsulation Capabilities community is of an extended type.
The value of the high-order octet of the Type Field is 0x43. The value
of the low-order octet of the Type field of this extended community is
0x01 [BGP-EXT-COM].
The Tunnel encapsulation extended community has the following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0x43 |Sub-Type = 0x01| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | Encapsulation Capabilities |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The encapsulation capabilities bit-mask indicates all the
encapsulations supported by the BGP speaker for the advertised NLRI and
is encoded in the two least significant octets. The following
encapsulation capabilities are defined as of now:
draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt [Page 3]
Internet Draft draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt February 2003
0x0001 - IPv4 in IPv4
0x0002 - IPv4 in GRE
0x0004 - IPv4 in IPSec
0x0008 - GRE in IPSec
0x0010 - MPLS in soft GRE
0x0020 - MPLS in IPv4
0x0040 - MPLS in IPv6
0x0080 - IPv6 in IPv4
0x0100 - IPv6 in MPLS
4.2 LDP Extension
MPLS in soft GRE or MPLS in IP encapsulation capability may need to be
advertised when LDP signaling is used for establishing pseudo wires
[MARTINI] or for Layer 2 VPNs [LDP-SIG]. When BGP is used as a
discovery mechanism for Layer 2 VPNs BGP extensions proposed in 4.1
should be sufficient for determining the right encapsulation to use.
If this is not the case, the encapsulation capability is advertised
in LDP. This is done at the time of LDP session establishment. We
define a LDP Tunnel Encapsulation Capabilities Session TLV for this
purpose.
This TLV is advertised as an optional parameter in the LDP
Initialization message. This optional parameter has a type of 0x0506
(Subject to IANA approval) and has the following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0|0| Type = 0x0506 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | Encapsulation Capabilities |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Encapsulation bit-mask indicates all the encapsulations supported by
the PE originating the Initialization message. They are encoded in the
two least significant octets:
0x01 - MPLS in soft GRE
0x02 - MPLS in IPv4
0x04 - MPLS in IPv6
4.3 Applicability of BGP and LDP Extensions
The decision to use BGP or LDP for advertising the tunnel
encapsulation capability depends on the application. For 2547 based
VPNs this information is advertised in BGP advertisements using the
draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt [Page 4]
Internet Draft draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt February 2003
Tunnel encapsulation extended community. This is also true for BGP
based Layer 2 VPNs [BGP-L2VPN]. BGP may be used as an auto-discovery
mechanism for Layer 2 VPNs established using LDP signaling [BGP-AUTO].
In this case Tunnel encapsulation extended community can be added to
the BGP auto-discovery advertisements to convey the encapsulation
capability. For IPv6 tunneling and IPv6 VPN applications BGP Tunnel
encapsulation capability can be used [BGP-VPN-IPv6].
There may be cases when LDP is used for establishing pseudo wires and
Layer 2 VPNs [MARTINI, LDP-SIG], and BGP is not used as an
auto-discovery protocol. In this case the encapsulation capability can
be advertised using the Encapsulation TLV in the LDP
Initialization message.
5. Usage
We describe the usage of this signaling enhancement in the context
of 2547, though its equally applicable to Layer 2 VPNs and other
tunneling applications. With this mechanism a PE can 'signal' its
tunnel enapsulation capabilities including MPLS in IP or MPLS in soft
GRE encapsulation capability to other PEs. A PE (say PE1) now has two
pieces of information while determining if VPN routes learned from a
remote PE (say PE2) are eligible for MPLS in IP or MPLS in soft GRE
encapsulation:
o Is PE1 configured to support MPLS in IP or MPLS in soft GRE
encapsulation
o Does PE2 support MPLS in IP or MPLS in soft GRE encapsulation.
This is learned via the mechanism described above.
If both the above are true, the VPN route can be installed in the VRF
and tunneled using IP or soft GRE. Else the VPN route cannot be
tunneled using IP or soft GRE. However it can still be tunneled
using MPLS or some other tunneling mechanism. If PE2 supports
multiple encapsulations, this mechanism can be used to pick one of
the encapsulations based on local policy at PE1. In certain
implementations BGP may propagate the capability of PE2 to
the local RIB. Hence the local RIB can determine if a particular
next-hop is eligible for MPLS in IP or MPLS in soft GRE enapsulation.
6. Benefits
This mechanism adds several benefits:
6.1. Blackhole Avoidance
Without this mechanism its possible in certain cases for a local PE to
draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt [Page 5]
Internet Draft draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt February 2003
tunnel packets to a remote PE using an encapsulation that is not
supported by the remote PE. For instance without knowing the MPLS in IP
or MPLS in soft GRE capability of the remote PE, the local PE, if
configured for MPLS in IP or MPLS in soft GRE, can start sending IP or
GRE encapsulated MPLS traffic to the remote PE even if the remote PE
doesn't support MPLS in IP or MPLS in soft GRE encapsulation. This can
happen if the remote PE is running a software version that is not
capable of performing the corresponding de-encapsulation or if
its simply not configured to support the expected de-encapsulation.
This can result in blackholing the MPLS traffic. This mechanism avoids
that as the local PE will never send IP or GRE encapsulated VPN traffic
to the remote PE unless the remote PE advertises that its MPLS in IP or
MPLS in soft GRE capable.
6.2. Co-existing MPLS and IP or Soft GRE tunneling
It is conceivable that in a network providing 2547 based VPN service
some of the PEs are attached to a part of the backbone which runs MPLS
while other PEs are attached to a part of the backbone where MPLS is
not running. Thus some of the PEs may support MPLS in soft GRE or MPLS
in IP while others may support only MPLS tunneling. Further still its
conceivable that one may wish to use soft GRE tunneling for certain
VPN routes and MPLS tunneling for other VPN routes destined to the
same PE. An example would be a co-existing IPSec over GRE and MPLS
tunneling service for VPN-routes.
Hence if LDP is used for MPLS tunneling, a given PE (say PE1) may be
configured to run LDP and support soft GRE at the same time. The
reason being that some of the remote PEs can only use MPLS tunneling.
However currently there is no way for a remote PE (say PE2) that
supports soft GRE to know the tunneling tecnology to use while sending
MPLS VPN traffic to PE1. If it prefers using soft GRE it cannot be sure
that PE1 supports soft GRE and it cannot rely on the LDP FECs
received from PE1 to make this decision. The mechanism proposed in
this document solves this problem as PE2 can learn the soft GRE
capability of PE1.
VPN routes advertised by a PE may be advertised with different
next-hops if this PE wants the remote PEs to use different tunneling
technologies for different next-hops. Hence this PE may wish to
receive GRE encapsulated VPN traffic for some VPN routes and MPLS
encapsulated VPN traffic for other VPN routes. It is possible to
advertise the soft GRE capability only for certain VPN routes,
associated with a particular next-hop.
draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt [Page 6]
Internet Draft draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt February 2003
6.3. Transitioning
An operator may wish to transition some or all of the routers in a
2547 based network from using MPLS based tunneling to soft GRE or IP
based tunneling and vice-versa. This approach greatly simplifies this
transition. Once the remote soft GRE or IP encapsulation capability
is known a PE can determine if it wishes to use MPLS or GRE or IP to
encapsulate the traffic. Without this mechanism an operator
transitioning certain routers from MPLS based tunneling to GRE based
tunneling needs to enable soft GRE on all such routers before MPLS
can be turned off on any of the routers. Similarly, without this
mechanism, an operator transitioning certain routers from soft GRE
based tunneling to MPLS tunneling needs to enable MPLS on all such
routers before soft GRE can be turned off on any of the routers.
6.4. Security Enhancement
This approach can be used to enhance the security of the network
backbone when MPLS in IP or MPLS in soft GRE encapsulation is used.
In this case a router should accept MPLS in IP or MPLS in soft GRE
encapsulated packets only from routers in the provider's backbone.
This implies that the egress router should verify the source of the
tunneled packet, ensuring that it is sent by a trusted router. This
would require the trusted source addresses to be configured. The
mechanism described in this document simplifies this as the remote PE
addresses associated with the MPLS encapsulation capabilities can
be considered as trusted addresses and used for verification when the
tunneled packets are received.
7. Deployment Considerations
It is recommended that an implementation provide a configuration
option to trigger the announcement of a PE's encapsulation
capabilities in BGP or LDP. This will help in selective deployment
of this mechanism.
8. IANA Considerations
This document requires the use of a BGP extended community and a LDP
Tunnel encapsulation TLV. We have assigned the next available values to
each of these from the respective number spaces. The sub-type for the
BGP non-transitive opaque Tunnel encapsulation extended community is
assigned value of 0x01. The type of the LDP Tunnel encapsulation TLV is
assigned a value of 0x0506. These values are subject to IANA approval.
9. Security Considerations
This document does not introduce any new security issues. The security
issues identified in [BGP-EXT-COM], [RFC3036], [MPLS-IP-GRE] and
[2547bis] are still relevant.
draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt [Page 7]
Internet Draft draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt February 2003
10. Acknowledgements
We would like to thank Enke Chen, Jenny Yuan, Naiming Shen, Acee Lindem,
and Ravi Chandra for their valuable contributions to this document and
for helping in evolving this mechanism.
Thanks to Yakov Rekhter for his comments and valuable suggestions. We
would also like to thank Eric Rosen and Pedro Roque Marques for their
comments.
11. References
[BGP-EXT-COM] S.R. Sangli et. al., "BGP Extended Communities
Attribute", draft-ietf-idr-bgp-ext-communities-05.txt.
[RFC3036] L. Andersson et. al., "LDP Specification", Request For
Comments 3036.
[MPLS-IP-GRE] T. Worster et. al., "Encapsulating MPLS in IP or GRE",
draft-rosen-mpls-in-ip-or-gre-00.txt.
[2547bis] Rosen, E. et. al., "BGP/MPLS VPNs," Internet-draft
draft-ietf-ppvpn-rfc2547bis-04.txt, January 2002.
[MARTINI] L. Martini. et. al., "Transport of Layer 2 Frames Over
MPLS", draft-ietf-pwe3-control-protocol-00.txt.
[BGP-L2VPN] K. Kompella et. al., "Layer 2 VPNs over Tunnels",
draft-kompella-ppvpn-l2vpn-02.txt.
[BGP-AUTO] Ould-Brahim et. al., "Using BGP as an Auto-Discovery
Mechanism for Network based VPNs",
draft-ietf-ppvpn-bgpvpn-auto-02.txt.
[LDP-SIG] E. Rosen, "LDP-based Signaling for L2VPNs",
draft-rosen-ppvpn-l2-signaling-02.txt.
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[BGP-VPN-IPv6] J. De Clercq et. al., "BGP-MPLS VPN extension for
IPv6 VPN", draft-ietf-ppvpn-bgp-ipv6-vpn-03.txt.
draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt [Page 8]
Internet Draft draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt February 2003
12. Author Information
Rahul Aggarwal
Redback Networks
350 Holger Way
San Jose, CA 95134
Email: rahul@redback.com
Robert Raszuk
Cisco Systems, Inc.
Al Jerozolimskie 146C
02-305 Warsaw, Poland
Email: rraszuk@cisco.com
Francois Le Faucheur
Cisco Systems, Inc.
Village d'Entreprise Green Side - Batiment T3
400, Avenue de Roumanille
06410 Biot-Sophia Antipolis
France
Email: flefauch@cisco.com
Cristallo Geoffrey
Alcatel
Fr. Wellesplein 1, 2018 Antwerp, Belgium
Email: geoffrey.cristallo@alcatel.be
Jeremy De Clercq
Alcatel
Fr. Wellesplein 1, 2018 Antwerpen, Belgium.
Email: Jeremy.De_Clercq@alcatel.be
draft-raggarwa-ppvn-mpls-ip-gre-sig-00.txt [Page 9]
| PAFTECH AB 2003-2026 | 2026-04-22 09:53:13 |