Internet DRAFT - draft-ietf-l2vpn-radius-pe-discovery

draft-ietf-l2vpn-radius-pe-discovery






Network Working Group                                        J. Heinanen
Internet-Draft                                               TutPro Inc.
Expires: April 26, 2006                                    G. Weber, Ed.
                                                             W. Townsley
                                                                S. Booth
                                                                  W. Luo
                                                           Cisco Systems
                                                        October 23, 2005


                Using RADIUS for PE-Based VPN Discovery
              draft-ietf-l2vpn-radius-pe-discovery-02.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 26, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes a strategy by which Provider Equipment (PE)
   can be dynamically provisioned for inclusion in PE-based Layer 2
   Virtual Private Networks (L2VPNs).  This layered strategy utilizes
   the Remote Authentication Dial In User Service (RADIUS) protocol as a



Heinanen, et al.         Expires April 26, 2006                 [Page 1]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


   centralized control mechanism and can be used in conjunction with
   other proposed mechanisms.  The mechanisms described in this document
   enhance those established by RFC 2868 and conform to those described
   by the L2VPN Framework.


Table of Contents

   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   4.  Information Model  . . . . . . . . . . . . . . . . . . . . . .  3
   5.  New RADIUS Attributes  . . . . . . . . . . . . . . . . . . . .  6
     5.1.  Router-Distinguisher . . . . . . . . . . . . . . . . . . .  6
     5.2.  VPN-ID . . . . . . . . . . . . . . . . . . . . . . . . . .  7
     5.3.  Attachment-Individual-ID . . . . . . . . . . . . . . . . .  7
     5.4.  Per-Hop-Behavior . . . . . . . . . . . . . . . . . . . . .  8
     5.5.  PE-Router-ID . . . . . . . . . . . . . . . . . . . . . . .  9
     5.6.  PE-Address . . . . . . . . . . . . . . . . . . . . . . . .  9
     5.7.  PE-Record  . . . . . . . . . . . . . . . . . . . . . . . . 10
   6.  New Values for Existing RADIUS Attributes  . . . . . . . . . . 11
     6.1.  Service-Type . . . . . . . . . . . . . . . . . . . . . . . 11
     6.2.  User-Name  . . . . . . . . . . . . . . . . . . . . . . . . 12
   7.  Table of Attributes  . . . . . . . . . . . . . . . . . . . . . 12
   8.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 14
   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 15
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 15
     11.2. Informative References . . . . . . . . . . . . . . . . . . 15
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17
   Intellectual Property and Copyright Statements . . . . . . . . . . 18



















Heinanen, et al.         Expires April 26, 2006                 [Page 2]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   This document uses terminology from [I-D.ietf-l2vpn-l2-framework] and
   [I-D.ietf-l2vpn-signaling].


2.  Acronyms

   AII: Attachment Individual Identifier
   AC: Attachment Circuit
   AGI: Attachment Group Identifier
   AS: Autonomous System
   CE: Customer Equipment
   L2VPN: Layer 2 Provider Provisioned Virtual Private Network
   NAI: Network Access Identifier
   NAS: Network Access Server
   PE: Provider Equipment
   SAI: Source Attachment Identifier
   SAII: Source Attachment Individual Identifier
   RADIUS: Remote Authentication Dial In User Service
   TAI: Target Attachment Identifier
   TAII: Target Attachment Individual Identifier
   VPLS: Virtual Private LAN Service
   VPN: Virtual Private Network
   VPWS: Virtual Private Wire Service


3.  Introduction

   This document describes how in PE-based VPNs a PE of a VPN can use
   RADIUS [RFC2865] to authenticate its CEs and discover the other PEs
   of the VPN.  In RADIUS terms, the CEs are users and the PEs are
   Network Access Servers (NAS) implementing RADIUS client
   functionality.

   A VPN can span multiple Autonomous Systems (AS) and multiple
   providers.  Each PE, however, only needs to be a RADIUS client to a
   RADIUS server of the "local" provider.  In the case in which a CE
   belongs to a "foreign" VPN, the RADIUS server of the local provider
   acts as a proxy client to RADIUS of the foreign provider.


4.  Information Model




Heinanen, et al.         Expires April 26, 2006                 [Page 3]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


   This document presents a model wherein authorization for
   participation in a PE-based VPN can be divided into three different
   layers of access.

   o  CE or AC Authorization
   o  VPN Authorization
   o  Pseudowire Authorization

   The first layer is AC authorization, in which a first sign of life on
   a particular AC triggers an authorization resulting in provisioning
   information particular to the circuit in question.  Once the AC is
   authorized, its VPN membership is authorized separately.  This
   authorization step may result in a number of pseudowire specific
   connections; each of which may be authorized separately.  The
   relationships between these three data representations are shown in
   the diagram below.

   Using a layered approach allows the different stages of authorization
   to be satisfied by separate means based on deployment scenario.  It
   also allows one model to apply to various deployment architectures
   including VPLS and VPWS.  If all three authorization stages are
   accommodated by a RADIUS server, the stages may be combined into a
   single transaction instead of having three separate transactions.




























Heinanen, et al.         Expires April 26, 2006                 [Page 4]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


                                  +--------+
                                  |        |
                                  |   CE   |
                                  |        |
                                  +--------+
                                       |
             +-------------------------+---------------------------+
             |                         |                           |
             |  VPN               +--------+                       |
             |                    |        |                       |
             |                    |   PE   |                       |
             |                    |        |                       |
             |                    +--------+                       |
             |                         |                           |
             |                         |                           |
             |     +------------------------------------------+    |
             |     |              +-------------------------+ |    |
             |     | PE           |   +-------------------+ | |    |
             |     |     Next Hop |   | Pseudowire        | | |    |
             |     |     +--------+ +-|   Per hop behavior| | |    |
             |     |     |          | |   ...             | | |    |
             |     |     |  AII-----+ +-------------------+ | |    |
             |     |     |  AII-----+ +-------------------+ | |    |
             |     |     |  ...     | | Pseudowire        | | |    |
             |     |     |          +-|   Per hop behavior| | |    |
             |     |     |            |   ...             | | |    |
             |     |     |            +-------------------+ | |    |
             |     |     |            ...                   | |    |
             |     |     +----------------------------------+ |    |
             |     +------------------------------------------+    |
             |     +------------------------------------------+    |
             |     |              +-------------------------+ |    |
             |     | PE           |   +-------------------+ | |    |
             |     |     Next Hop |   | Pseudowire        | | |    |
             |     |     +--------+ +-|   Per hop behavior| | |    |
             |     |     |          | |   ...             | | |    |
             |     |     |  AII-----+ +-------------------+ | |    |
             |     |     |  AII-----+ +-------------------+ | |    |
             |     |     |  ...     | | Pseudowire        | | |    |
             |     |     |          +-|   Per hop behavior| | |    |
             |     |     |            |   ...             | | |    |
             |     |     |            +-------------------+ | |    |
             |     |     |            ...                   | |    |
             |     |     +----------------------------------+ |    |
             |     +------------------------------------------+    |
             |       ...                                           |
             +-----------------------------------------------------+




Heinanen, et al.         Expires April 26, 2006                 [Page 5]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


   o  Each pseudowire may have its own per-hop behavior and arbitrary
      configuration information
   o  Each pseudowire is associated with an AII
   o  Each PE includes an arbitrary number of AIIs
   o  Each PE has one associated next hop address
   o  The VPN includes an arbitrary number of PEs

   The following two sections define how the components of this data
   model may be represented as RADIUS attributes so the components of
   this information model may be communicated from a centralized
   location out into the network elements.


5.  New RADIUS Attributes

   This document defines several new RADIUS Attributes which are
   described in detail in this section.

5.1.  Router-Distinguisher

   This attribute represents a Router Distinguisher as described in
   [I-D.ietf-l3vpn-rfc2547bis].  It MAY be included in an Access-Request
   message.  This attribute MUST NOT be included in Access-Request
   messages that also include a "VPN-ID" attribute.

   A summary of the Router-Distinguisher attribute format is shown
   below.  The fields are transmitted from left to right.

       0                   1                   2
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
      |     Type      |    Length     |  Text ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

      Type

         (TBA) for Router-Distinguisher.

      Length

         >= 7

      Text

   The Text field is composed of three colon separated parts: a type, an
   administrator, and an assigned number.

   Where the type is "0", the administrator contains a 16-bit Autonomous



Heinanen, et al.         Expires April 26, 2006                 [Page 6]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


   System Number (ASN), and the assigned number is a 32-bit value
   assigned by enterprise responsible for the ASN, e.g. "0:114:23".

   Where the type is "1", the administrator contains an IP address, and
   the assigned number is a 16-bit value assigned by the enterprise
   controlling the IP address space, e.g. "1:1.2.3.4:10001".

   Where the type is "2", the administrator contains a 32-bit ASN, and
   the assigned number is a 16-bit value assigned by the enterprise
   responsible for the ASN, e.g. "2:70000:216".

5.2.  VPN-ID

   This attribute represents a VPN-ID as described in [RFC2685].  It MAY
   be included in an Access-Request message.  This attribute MUST NOT be
   included in Access-Request messages that also include a Router-
   Distinguisher attribute.

   A summary of the VPN-ID attribute format is shown below.  The fields
   are transmitted from left to right.

       0                   1                   2
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
      |     Type      |    Length     |  Text ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

      Type

         (TBA) for VPN-ID.

      Length

         >= 5

      Text

   The Text field is composed of two colon separated parts: a VPN
   authority Organizationally Unique Identifier, and a VPN index, e.g.
   "101:14".

5.3.  Attachment-Individual-ID

   This attribute indicates a Attachment-Individual-ID as described in
   [I-D.ietf-l2vpn-signaling].

   A summary of the Attachment-Individual-ID attribute format is shown
   below.  The fields are transmitted from left to right.



Heinanen, et al.         Expires April 26, 2006                 [Page 7]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


       0                   1                   2
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
      |     Type      |    Length     |  Text ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

      Type

         (TBA) for Attachment-Individual-ID.

      Length

         >= 3

      Text

   The Text field is an encoding of the Source Attachment Individual
   Identifier, e.g. "2".

5.4.  Per-Hop-Behavior

   This attribute indicates a Per-Hop-Behavior as described in
   [RFC3140].

   A summary of the Per-Hop-Behavior attribute format is shown below.
   The fields are transmitted from left to right.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |             Value
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                 Value (cont)         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      Type

         (TBA) for Per-Hop-Behavior.

      Length

         6

      Integer

   The lower 16-bits of the value contains the Per-Hop-Behavior value as
   described in [RFC3140].




Heinanen, et al.         Expires April 26, 2006                 [Page 8]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


5.5.  PE-Router-ID

   This attribute typically indicates an IPv4 address for a particular
   PE member of a VPN, though it may be some arbitrary value assigned by
   the owner of the ID space.

   A summary of the PE-Router-ID attribute format is shown below.  The
   fields are transmitted from left to right.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |             Value
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                 Value (cont)         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      Type

         (TBA) for PE-Router-ID.

      Length

         6

      Address

   Typically, the value indicates the IPv4 address of a particular PE
   member of a VPN.

5.6.  PE-Address

   This attribute indicates an IPv4 address for a particular PE member
   of a VPN.  In relation to the PE for which a CE is joining the VPN,
   this would be the initial's PE's next hop address.

   A summary of the PE-Address attribute format is shown below.  The
   fields are transmitted from left to right.













Heinanen, et al.         Expires April 26, 2006                 [Page 9]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |             Value
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                 Value (cont)         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      Type

         (TBA) for PE-Address.

      Length

         6

      Address

   The value indicates the IPv4 address of a particular PE member of a
   VPN.

5.7.  PE-Record

   This attribute represents a single element within a particular PE's
   description.  A group of PE-Records combine to form a complete PE
   description when returned during VPN authorization.

   A summary of the PE-Record attribute format is shown below.  The
   fields are transmitted from left to right.

       0                   1                   2
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
      |     Type      |    Length     |  Text ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

      Type

         (TBA) for PE-Record.

      Length

         >= 8

      Text

   The Text field contains an AII prefixed by a PE-Router-ID and
   separated by a colon, e.g. "1.1.1.1:14" where the PE-Router-ID is



Heinanen, et al.         Expires April 26, 2006                [Page 10]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


   1.1.1.1 and the AII is 14.  This represents a particular pseudowire.
   The value is optionally suffixed by a colon separated list of
   attribute value pairs containing pseudowire-specific configuration,
   e.g. "1.1.1.1:14:PHB=256".


6.  New Values for Existing RADIUS Attributes

6.1.  Service-Type

   This document defines one new value for an existing RADIUS attribute.
   The Service-Type attribute is defined in Section 5.6 of RFC 2865
   [RFC2865], as follows:

   This Attribute indicates the type of service the user has requested,
   or the type of service to be provided.  It MAY be used in both
   Access-Request and Access-Accept packets.

   A NAS is not required to implement all of these service types, and
   MUST treat unknown or unsupported Service-Types as though an Access-
   Reject had been received instead.

   A summary of the Service-Type Attribute format is shown below.

   The fields are transmitted from left to right.


























Heinanen, et al.         Expires April 26, 2006                [Page 11]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |             Value
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                 Value (cont)         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


     Type

         6 for Service-Type.

      Length

         6

      Value

         The Value field is four octets.

      This document defines one new value for the Service-Type
      attribute.

      (TBA)     L2VPN

      The semantics of the L2VPN service are as follows:

      L2VPN   A CE is requesting to join a VPN.

6.2.  User-Name

   This attribute defined by [RFC2865] takes a value depending on which
   layer of VPN authorization is occurring.

   o  For CE/AC authorization, the User-Name value contains either a
      Network Access Identifier (NAI) associated with the CE [RFC2486],
      or an implementation dependent AC name.
   o  For VPN authorization, the User-Name value contains the VPN-ID or
      a Router-Distinguisher.
   o  For pseudowire authorization, the User-Name value contains a PE-
      Router-ID.


7.  Table of Attributes

   The following tables provide a guide to which attributes may be found
   in which kinds of packets, and in what quantity.



Heinanen, et al.         Expires April 26, 2006                [Page 12]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


   CE/AC Authorization
   Request Accept Reject Challenge  #    Attribute
   ---------------------------------------------------------------------
   0       0-1      0        0     TBA   Router-Distinguisher
   0       0-1      0        0     TBA   VPN-ID

   VPN Authorization
   Request Accept Reject Challenge  #    Attribute
   ---------------------------------------------------------------------
   0-1     0        0        0     TBA   Router-Distinguisher
   0-1     0        0        0     TBA   VPN-ID
   0       0+       0        0     TBA   Attachment-Individual-ID
   0       0-1      0        0     TBA   Per-Hop-Behavior
   0       0-1      0        0     TBA   PE-Router-ID
   0       0-1      0        0     TBA   PE-Address
   0       0+       0        0     TBA   PE-Record

   Pseudowire Authorization
   VPN Authorization
   Request Accept Reject Challenge  #    Attribute
   ---------------------------------------------------------------------
   0-1     0        0        0     TBA   Router-Distinguisher
   0-1     0        0        0     TBA   VPN-ID
   1       0        0        0     TBA   Attachment-Individual-ID
   0       0-1      0        0     TBA   Per-Hop-Behavior

   The following table defines the meaning of the above table entries.

   0    This attribute MUST NOT be present in a packet.
   0+   Zero or more instances of this attribute MAY be present in
        a packet.
   0-1  Zero or one instance of this attribute MAY be present in
        a packet.
   1    Exactly one instance of this attribute MUST be present in
        a packet.
















Heinanen, et al.         Expires April 26, 2006                [Page 13]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


8.  Examples


   CE/AC Authorization

     Request
       User-Name = "providerX/atlanta@vpnY.domainZ.net" (CE NAI)
       NAS-IP-Address = "1.1.1.1"
     Response
       VPN-ID = "100:14"

     Request
       User-Name = "ATM14.0.1" (AC Name)
       NAS-IP-Address = "1.1.1.1"
     Response
       Router-Distinguisher = "1:1.2.3.4:10001"

   VPN Authorization

     Request
       User-Name = "100:14"  (VPN-ID)
       NAS-IP-Address = "1.1.1.1"
     Response
       PE-Record = "2.2.2.2:14"  (PE-Router-ID:AII)
       PE-Record = "2.2.2.2:15"
       PE-Record = "3.3.3.3:24"
       PE-Record = "3.3.3.3:25"

     Request
       User-Name = "100:14"  (VPN-ID)
       NAS-IP-Address = "1.1.1.1"
     Response
       PE-Record = "2.2.2.2:14:PHB=256"

   Pseudowire Authorization

     Request
       User-Name = "2.2.2.2" (PE-Router-ID)
       NAS-IP-Address = "1.1.1.1"
       Attachment-Individual-ID = "14"
       VPN-ID = "100:14"
     Response
       Per-Hop-Behavior = "256"


9.  Security Considerations

   [TBD]



Heinanen, et al.         Expires April 26, 2006                [Page 14]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


10.  IANA Considerations

   [TBD]


11.  References

11.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2865]  Rigney, C., Willens, S., Rubens, A., and W. Simpson,
              "Remote Authentication Dial In User Service (RADIUS)",
              RFC 2865, June 2000.

   [RFC2868]  Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege,
              M., and I. Goyret, "RADIUS Attributes for Tunnel Protocol
              Support", RFC 2868, June 2000.

   [RFC2685]  Fox, B. and B. Gleeson, "Virtual Private Networks
              Identifier", RFC 2685, September 1999.

11.2.  Informative References

   [I-D.ietf-l2vpn-signaling]
              Rosen, E., "Provisioning, Autodiscovery, and Signaling in
              L2VPNs", draft-ietf-l2vpn-signaling-06 (work in progress),
              September 2005.

   [I-D.ietf-pwe3-control-protocol]
              Martini, L., "Pseudowire Setup and Maintenance using the
              Label Distribution Protocol",
              draft-ietf-pwe3-control-protocol-17 (work in progress),
              June 2005.

   [I-D.ietf-l3vpn-rfc2547bis]
              Rosen, E., "BGP/MPLS IP VPNs",
              draft-ietf-l3vpn-rfc2547bis-03 (work in progress),
              October 2004.

   [RFC2279]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", RFC 2279, January 1998.

   [I-D.ietf-l2vpn-l2-framework]
              Andersson, L. and E. Rosen, "Framework for Layer 2 Virtual
              Private Networks (L2VPNs)",
              draft-ietf-l2vpn-l2-framework-05 (work in progress),



Heinanen, et al.         Expires April 26, 2006                [Page 15]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


              June 2004.

   [RFC2486]  Aboba, B. and M. Beadles, "The Network Access Identifier",
              RFC 2486, January 1999.

   [RFC3140]  Black, D., Brim, S., Carpenter, B., and F. Le Faucheur,
              "Per Hop Behavior Identification Codes", RFC 3140,
              June 2001.











































Heinanen, et al.         Expires April 26, 2006                [Page 16]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


Authors' Addresses

   Juha Heinanen
   TutPro Inc.
   Utsjoki
   Finland

   Email: jh@tutpro.com


   Greg Weber (editor)
   Cisco Systems
   10850 Murdock Road
   Knoxville, TN  37932
   US

   Email: gdweber@cisco.com


   W. Mark Townsley
   Cisco Systems
   7025 Kit Creek Road
   Research Triangle Park, NC  27709
   US

   Email: mark@townsley.net


   Skip Booth
   Cisco Systems
   7025 Kit Creek Road
   Research Triangle Park, NC  27709
   US

   Email: ebooth@cisco.com


   Wei Luo
   Cisco Systems
   170 West Tasman Drive
   San Jose, CA  95134
   US

   Email: luo@cisco.com







Heinanen, et al.         Expires April 26, 2006                [Page 17]

Internet-Draft   Using RADIUS for PE-Based VPN Discovery    October 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Heinanen, et al.         Expires April 26, 2006                [Page 18]