Internet Engineering Task Force CY Lee INTERNET DRAFT M Higashiyama Informational November 2002 CE-based Virtual Private LAN Status of this memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." To view the list Internet-Draft Shadow Directories, see http://www.ietf.org/shadow.html. Abstract This draft describes how a Virtual Private LAN (VPL) can be realized without having to bridge an enterprise private Ethernet traffic in a provider's network. In addition, it describes the benefits of confining the bridging of an enterprise Ethernet traffic to CE (Customer Edge) or CLE (Customer Located Equipment), when compared to PE-based VPL, such as [VPLS]. 1. Terminology CE Customer Edge [PPVPN-REQ] CLE Customer Located Equipment CPVPL Customer Provisioned VPL LCCE L2TP Control Connection Endpoint [L2TPv3] MAN Metropolitan Area Network P Provider's Network Equipment (excluding PE) PE Provider Edge [PPVPN-REQ] Expires June 2003 [Page 1] Internet Draft CE-based VPL November 2002 PPVPL Provider Provisioned VPL PSN Packet Switched Network PW Pseudo-Wire VPL Virtual Private LAN 2. Introduction CE-based VPL over different types of tunneling technologies has been used for a number of years now, and could be viewed as a proven technology. A network user provisions the required tunnels (or circuits) at a CE to remote CE(s) and the CEs bridge Ethernet traffic over the tunnels. 2.1 CE-based VPL features * For an IP PSN, connectivity states are incurred only in CEs, no VPL connectivity states are required in PEs or Ps. For an ATM network, connectivity states are created in the network to provide QoS paths. In contrast, in [VPLS] using LDP, path states created in the IP/MPLS network are for connectivity purposes, not for providing QoS. In this case, [VPLS] creates states in the network with no compelling reasons. * CEs belonging to the same VPL learn, store, manage VPL forwarding information and bridges traffic within the VPL, PEs do not have to learn MAC addresses from different VPLs, hence this approach scales for large number of VPLs and total MAC addresses in a network. The provider need not set limits on the number of MAC addresses in each VPL/CE at PEs. * bridging within a VPL does not affect other VPLs (or customers). A CE bridge which is not functioning correctly will only affect a VPL. In contrast, if bridging is also performed at PEs, a malfunctioning CE may cause network instability and affect other VPLs as well. Hence a CE-based VPL would be operationally stabler. * allow routers over the "WAN" to peer using a VPL, and the "WAN" connectivity to appear as a broadcast domain instead. This simplifies router configuration for the customer. * CEs may be located intra-domain or inter-domain as long as CEs have IP reachability to each other. CEs in different MAN or rings can send VPL traffic to each other without resorting to VLAN Stacking as long as there is IP reachability in the network. (Note: This does not imply routing is required e.g. the CEs may all be in the same subnet in the provider's network) * In a network based VPL, as the number of customers/VPLS and total Expires June 2003 [Page 2] Internet Draft CE-based VPL November 2002 MAC addresses grow in a provider's network, existing devices in the network will need to be upgraded or replaced by new devices. A CE- based VPL approach scales as the number of VPLs and total number of MAC addresses in VPLs grows and allows CEs in different MAN to be interconnected seamlessly. * Multiple tunnels to other CE sites can be automatically configured on CEs if a tunnel endpoint information discovery mechanism is used. * CE-based VPL can be offered over an existing VLAN (802.1q) network and co-exist with existing VLANs * new VPLs can be added transparently in an IP/MPLS network, without having to upgrade PEs with bridging functions. * may be used in conjunction with IPSec [L2TP-IPSec] to provide secure transmission of traffic from CE to CE in an IP PSN. 3. CE-based VPL In a CE-based VPL, tunnels are setup between sites of a VPL as shown in Figure 1. Each site has either a CE or CLE connected to the PSN. In a PPVPL, the provider provisions the VPL, a tunnel MAY be setup from CLE to CLE, and the CLEs MAY be owned by the provider, or the tunnels MAY be setup from CE to CE, and the CEs MAY be owned by the customer. In a CPVPL, a customer provisions its own VPL, a point to point tunnel from CE to CE may be provisioned by the customer at CEs or alternatively, a point to point tunnel may be provisioned by the provider from PE to PE. A tunnel appears as a virtual port or interface to the bridge entity in a CE. At a CE, Ethernet traffic from a VPL is encapsulated in for e.g. a L2TPv3 or GRE or IPSec tunnel or FR VC or ATM VCC and transported over the IP/FR/ATM network to another CE of the VPL. The receiving CE decapsulates the Ethernet frame, and bridges the frame from virtual port to the destination node in the VPL. Expires June 2003 [Page 3] Internet Draft CE-based VPL November 2002 Emulated Service (Broadcast Domain/"LAN", within dotted lines) .................................. Native . . Native Ethernet . . Ethernet or . |<-- PSN Tunnel-->| . or VLAN . . VLAN Service . +----+ +----+ . Service | . |CE/ | |CE/ | . | Customer-------.--|CLE |=================|CLE |-.------- Customer LAN | . | 1 | | 2 | . | LAN Site 1 | . +----+ +----+ . | Site 2 . \\ // . . \\ // . . \\ // . . PSN \\ // PSN . . Tunnel \\ +----+ // Tunnel. . \\|CE/ |// . . \|CLE |/ . . | 3 | . . +----+ . . | . .................................. | | Native Ethernet or VLAN Service | | Customer LAN Site 3 | | Customer ----------------|----------------Customer LAN Site 1 | LAN Site 2 | |----------------Customer | LAN Site 3 Fig 1 Emulated Ethernet Segment 4. CE-based VPL using Pseudo-wire Ethernet over L2TPv3 Pseudo-wire Ethernet over L2TPv3 is specified in [ETH-PW-L2TPv3] and Expires June 2003 [Page 4] Internet Draft CE-based VPL November 2002 describes how network devices emulate ethernet over an IP network using L2TPv3 as the tunneling protocol. CEs supporting [ETH-PW- L2TPv3]in a PPVPL or CPVPL are applications of [ETH-PW-L2TPv3]. Additional functions of these applications are identified in the next section. 4.1 Additional functions required 4.1.1 Tunnel Endpoints Information Configuration The required tunnel endpoint information at an LCCE (CE) are the IP addresses and End Identifiers of peer LCCEs, and authentication keys. The tunnel endpoints information may be pre-configured or remotely provisioned or, a mechanism to discover and distribute the tunnel endpoints information may be used or a mechanism where tunnel endponts information are retrieved from a server may be used. To avoid having to provision deployed CEs, a mechanism to auto discover and distribute VPL site information is useful. [CE- AUTOCONFIG] or a directory query approach similar to [VPLS-DNS] are examples of mechanisms that may be used for this purpose. In particular for [CE-AUTOCONFIG], the Authentication Server/RADIUS approach is applicable to both a PPVPL and CPVPL, while the DHCP approach is only applicable to a PPVPL where the CEs are within one domain (e.g for VPLs offered by a network provider). 4.1.2 VPL Monitoring The session keep-alive mechanism of L2TPv3 can serve as a link status monitoring mechanism for the point to point tunnels (session) that make up the VPL. Testing of reachability of nodes in the VPL from different sites may be performed at irregular intervals. 5. Acknowledgment The authors would like to thank Jeremy deClercq and Jeanne DeJaegher for their helpful comments on the initial version of this draft. The draft benefited from discussions with Sasha Cirkovic, Jeff Smith, Raymond Chang, Roy Nighswander, Neil Harrison, Alexis Berthillier, Dean Welsh and Arnold Jansen. 6. References [802.1D] IEEE, "ISO/IEC 15802-3:1998,(802.1D, 1998 Edition), Information technology --Telecommunications and information exchange between systems --IEEE standard for local and metropolitan area Expires June 2003 [Page 5] Internet Draft CE-based VPL November 2002 networks --Common specifications-Media access control (MAC) Bridges", June, 1998. [802.1Q] ANSI/IEEE Standard 802.1Q, "IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks", 1998 . [802.3] IEEE, "ISO/IEC 8802-3: 2000 (E), Information technology--Telecommunications and information exchange between systems --Local and metropolitan area networks --Specific requirements --Part 3: Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications", 2000. [BCP] Mitsuru H. and Baker, "PPP Bridging Control Protocol (BCP)", RFC 2878, July 2000. [L2TP] Townsley, W., Valencia, A., Rubens, A., Singh Pall, G., Zorn, G., Palter, B., "Layer Two Tunneling Protocol (L2TP)", RFC 2661 August 1999 [L2TPv3] Lau, J., Townsley, M., Valencia, A., Zorn, G., Goyret, I., Pall, G., Rubens, A., Palter, B., "Layer Two Tunneling Protocol "L2TP"", (draft-ietf-l2tpext- l2tp-base-01.txt), work in progress, July 2001. [L2TP-IPSEC] RFC 3193, B. Patel,B. Aboba,W. Dixon, G. Zorn, S. Booth "Securing L2TP using IPSec" [ETH-L2TPv3] Aggarwal, et al., Transport of Ethernet Frames over L2TPv3, draft-ietf-l2tpext-pwe3-ethernet-00.txt, October 2002. [ETH-PW-L2TPv3] CY Lee, M Higashiyama, Ethernet Pseudo-Wire over L2TPv3, November 2002 Internet Architectural Guidelines and Philosophy. http://www.ietf.org/internet-drafts/draft-ymbk-arch-guidelines-05.txt [EOL2TP] M. Higashiyama, "Ethernet Over L2TP", (draft-higashiyama- eol2tp-01.txt), [PPVPN-REQ] M. Carugi,D. McDysan, L. Fang, F. Johansson, Ananth Nagarajan, J. Sumimoto, R. Wilder, "Service requirements for Layer 3 Provider Provisioned Virtual Private Networks" (draft-ietf-ppvpn- requirements-04.txt) [CEVPN] De Clercq J., et al., "Provider Provisioned CE-based Virtual Private Networks using IPsec", draft-ietf-ppvpn-ce-based-01.txt, work Expires June 2003 [Page 6] Internet Draft CE-based VPL November 2002 in progress. [Kompella] Kompella, K., Leelanivas, M., Vohra, Q., Bonica, R., Metz, E., Ould-Brahim, H., Achirica, J., Z., "MPLS-based Layer 2 VPNs", (draft-kompella- ppvpn-l2vpn-00.txt), work in progress, July 2001. [Martini-encap] Martini, L., El-Aawar, N., Tappan, D., Rosen, E., Jayakumar, J., Vlachos, D., Liljenstolpe, C., Heron, G., Kompella, K., Vogelsang, S., Shirron, J., Smith, T., Radoaca, V., Malis, A., Sirkay, V., Cooper, D., "Encapsulation Methods for Transport of Layer 2 Frames Over IP and MPLS Networks", (draft-martini- l2circuit- encap-mpls-03.txt), work in progress, July 2001. [PWE3-frame] Pate, P., Xiao, X., So, T., Malis, A., Nadeau, T., White, C., Kompella, K., Johnson, T., "Framework for Pseudo Wire Emulation Edge-to-Edge (PWE3)" (draft- pate-pwe3-framework-02.txt), work in progress, July 2001. [VPLS] Lasserre, M, Kompella, V, et al, "Virtual Private LAN Services over MPLS" draft-lasserre-vkompella-ppvpn-vpls-01.txt, March 2002 [VPLS-DNS] Heinanen, "DNS/LDP Based VPLS". draft-heinanen-dns-ldp- vpls-00.txt, January 2002. [CE-AUTOCONFIG] CY Lee, "CE Auto-Configuration", (draft-lee-ppvpn-ce- auto-config-01.txt), work in progress, July 2002 [RADIUS] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial in User Service (RADIUS)", RFC 2865, June 2000. Authors' Information Cheng-Yin Lee Cheng-Yin.Lee@alcatel.com Mitsuru Higashiyama Mitsuru.Higashiyama@yy.anritsu.co.jp Expires June 2003 [Page 7]