Network Working Group Gargi Nalawade Internet Draft Ruchi Kapoor Expires: April 2006 Dan Tappan Scott Wainner Cisco Systems Tunnel SAFI draft-nalawade-kapoor-tunnel-safi-04.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract The architecture of an MPLS VPN solution relies on the establishment of two layers of reachability information. The first is the association of a prefix, interface, or route table to a VPNv4 label that is used on the egress PE to delineate a Virtual Route Forwarding table. The second is the association of the next-hop to reach the egress PE. By default, the MPLS VPN establishes an LSP tunnel from the ingress PE to the egress PE. A requirement exists to establish draft-nalawade-kapoor-tunnel-safi-04.txt [Page 1] Internet Draft draft-nalawade-kapoor-tunnel-safi-04.txt October 2005 an IP tunnel between the ingress and egress PE in lieu of an LSP. The egress PE's tunnel capability needs to be distributed to all the potential ingress PE's as well as the attributes of the tunnel. The tunnel end-point discovery may occur within and across Autonomous Systems. BGP is the logical protocol of choice that is widely deployed for MPLS VPN solutions and can carry this information in a synchronized manner. This document defines how BGP speakers can convey Tunnel end-point reachability information. 1. Introduction Two end-points of a tunnel need to agree upon the end-point information and its binding to a network address at the remote point. Normally, this information can be manually shared and statically configured when the number of tunnels to manage is relatively small. In the case of a network such as an MPLS VPN where there is a need for a tunnel between every ingress and egress PE, the number of tunnel end-points that need to be exchanged and maintained grows dramatically as the network becomes large. The egress PE already defines reachability information for the private routing information as well as the NLRI of the PE itself. This information is distributed via MP-BGP to any number of potential ingress PE. The extent of distribution of egress PE's NLRI and next-hop is unknown by the egress PE; therefore, egress PE cannot feasibly know the tunnel attributes for any potential ingress PE unless the egress PE assigns these attributes. The egress PE needs to advertise it's capability to receive tunneled packets, the types of tunnels supported, the preference for the various tunnel methods, and the attributes associated with the tunnels. The tunnel information then needs to be distributed and maintained using MP-BGP such that every potential ingress PE knows the appropriate tunnel method and attributes of the egress PE. The tunnel capabilities are uniquely defined for a given PE and may or may not correlate with the capabilities of any other potential ingress PE. For this reason, the ingress PE may select the most appropriate tunneling mechanism based on the compability of the tunnel capabilities between the ingress and egress PE's and their preferences. 2. The Tunnel SAFI This document defines a new BGP SAFI called the Tunnel SAFI. The [IANA-AFI] [IANA-SAFI] value pair used to identify this SAFI are- AFI=1, SAFI=64, for the IPv4 Tunnel AFI; and AFI=2, SAFI=64 for the IPv6 Tunnel AFI. For BGP Speakers supporting [BGP-4], the tunnel end point address will be carried as an NLRI in the MP_REACH attribute for the Tunnel SAFI. draft-nalawade-kapoor-tunnel-safi-04.txt [Page 2] Internet Draft draft-nalawade-kapoor-tunnel-safi-04.txt October 2005 The NLRI will be encoded as a 2-octet Identifier followed by the NLRI format as specified by the respective AFI. The Identifier will identify the tunnel end point being advertised. This Identifier enables multiple tunnel end-points to share the same network address, thus conserving the number of addresses needed to be configured by the operator on each of the Tunnel-endpoints. 3. BGP Attribute The BGP Tunnel Encapsulation Attribute [BGP-TUN] will be used to carry The Tunnel end-point information. The egress PE may support one or more tunnel methods. The egress PE MUST advertise all tunnel types for which it will support tunnel termination. The egress PE MAY advertise one or more tunnel types. If a BGP SPeaker supports the BGP Tunnel SAFI then it MUST understand the Tunnel Encapsulation attribute [BGP-TUN]. A BGP update for the Tunnel SAFI MUST never be sent without the BGP Tunnel Encapsulation Attribute. As defined in [BGP-TUN], the first bit of the TYPE field in the BGP Tunnel Encapsulation Attribute is the 'transitive bit'. If the bit value is 1, implies that this tunnel is transitive. If the bit value is 0, it implies this specific tunnel is not transitive. The Value Field of the BGP Tunnel Encapsulation Attribute, MUST contain at least one of the following valid Type codes for this SAFI. It MAY contain one or more TLVs with these Type codes. Type 1: L2TPv3 Tunnel information Type 2: mGRE Tunnel information Type 3: IPSec Tunnel information Type 4: MPLS Tunnel information Type 5: L2TPv3 in IPSEC Tunnel information Type 6: mGRE in IPSEC Tunnel information 3.1. L2TPv3 Tunnel information TLV The L2TPv3 Tunnel Information TLV has a type value of 1. The value part of the L2TPv3 Tunnel Information Type contains the following : draft-nalawade-kapoor-tunnel-safi-04.txt [Page 3] Internet Draft draft-nalawade-kapoor-tunnel-safi-04.txt October 2005 - Preference (2 Octets) - Flags (1 Octet) - Cookie Length (1 Octet) - Session ID (4 Octets) - Cookie (Variable) The L2TPv3 Tunnel Information TLV looks as follows : 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |T| Type = 0x01 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (2 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Preference (2 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |S| Flags | Cookie Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Session ID (4 Octets) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Cookie (Variable) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ where Length - A 2 Octet field that specifies the length of the L2TPv3 attribute in octets. Preference - A 2 Octet field containing a Preference associated with the TLV. The Preference value indicates a preferred ordering of tunneling encapsulations according to the sender (i.e. egress PE). The recipient of the information SHOULD take the sender's preference into account in selecting which encapsulation it will use. A higher value indicates a higher preference. Flags - A 1 Octet field containing flag-bits. The leftmost bit indicates whether Sequence numbering is to be used or not. The remaining bits are reserved for future use. draft-nalawade-kapoor-tunnel-safi-04.txt [Page 4] Internet Draft draft-nalawade-kapoor-tunnel-safi-04.txt October 2005 Cookie Length - is a 1 Octet field that contains the length of the Variable length Cookie. Session ID - A 4 Octet field containing a non-zero identifier for a session. The Session ID is used to delineate services on the egress PE. The support for a service such as MPLS VPN MUST have at least one Session ID assigned. Multiple Session ID's may be assigned for the same service instance. The primary motivation for assigning multiple Session ID's for the same service instance is provide a graceful transition when changing cookie values. The egress PE can receive both Session ID's with their unqiue Cookie value thus allowing a graceful roll-over from an old Session ID and Cookie to a new Session ID and Cookie. Alternatively, multiple service instances may be distributed across multiple processes in order to scale. Each service instance may be assigned a unique Session ID and Cookie and advertised by BGP such that packets received from the ingress PE are directed to the appropriate service instance on the egress PE. Cookie - Cookie is a variable length (maximum 64 bits), value used by L2TPv3 to check the association of a received data message with the session identified by the Session ID. The Cookie value is tightly coupled with the Session ID. Upon the generation of a Session ID by the egress PE, the associated Cookie MAY be generated such that packets received by the egress PE from an ingress PE can be quickly validated for proper service context. The default value of the Length Field for the L2TPv3 Tunnel information TLV is between 8 and 16 bytes, depending on the length of the Cookie field specified in Cookie length. If the length of the TLV is greater than that value, the subsequent portion of the Value field contains one or more sub-TLVs as defined in [BGP-TUN]. 3.2. mGRE Tunnel Information TLV The mGRE Tunnel Information Type has a Type 2. The value part of the mGRE Tunnel Information Type contains the following : - Preference (2 Octets) - Flags (1 Octet) - mGRE Key (0 or 4 Octets) The mGRE Tunnel Information TLV looks as follows : 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ draft-nalawade-kapoor-tunnel-safi-04.txt [Page 5] Internet Draft draft-nalawade-kapoor-tunnel-safi-04.txt October 2005 |T| Type = 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (2 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Preference (2 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |S|K| Flags | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | mGRE Key (4 Octets) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Length - A 2 Octet field that specifies the length of the mGRE information in octets. Preference - A 2 Octet field containing a Preference associated with the TLV. The Preference value indicates a preferred ordering of tunneling encapsulations according to the sender (i.e. egress PE). The recipient of the information (i.e. ingress PE) SHOULD take the sender's preference into account in selecting which encapsulation it will use. A higher value indicates a higher preference. Flags - A 1 Octet field containing flag-bits. The leftmost bit indicates whether Sequence numbering is to be used or not. The 2nd bit Indicates whether an mGRE Key is present or not. The Remaining bits are reserved for future use. Reserved - A 1 Octet field reserved for future use mGRE Key - A 4 Octet field containing an optional mGRE Key. The key value may be generated by the egress PE and advertised by the egress PE to any potential ingress PE. In this case, the key value has unidirectional relevance from all viable ingress PE's to the egress PE. Alternatively, the key value may be statically configured such that all ingress and egress PE's use the same key value. If the Length field of the TLV contains a value greater than 3 Octets plus the value specified in the Key Length, the subsequent portion of the Value field contains one or more sub-TLVs as defined by [BGP- TUN]. 3.3. IPSec Tunnel Information TLV The IPSec Tunnel Information Type has a Type 3. The value part of the IPSec Tunnel Information Type contains the following : draft-nalawade-kapoor-tunnel-safi-04.txt [Page 6] Internet Draft draft-nalawade-kapoor-tunnel-safi-04.txt October 2005 - Preference (2 Octets) - Flags (1 Octet) - IKE ID Type (1 Octets) - IKE ID Length (2 Octets) - IKE Identifier (Variable) The IPSec Tunnel Information TLV looks as follows : 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |T| Type = 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (2 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Preference (2 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | IKE_ID Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IKE_LNG (2 Octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IKE Identifier (Variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Length - A 2 Octet field that specifies the length of the IPSec information in octets. Preference - A 2 Octet field containing a Preference associated with the TLV. The Preference value indicates a preferred ordering of tunneling encapsulations according to the sender. The recipient of the information SHOULD take the sender's preference into account in selecting which encapsulation it will use. A higher value indicates a higher preference. Flags - A 1 Octet field containing flag-bits. IKE_ID Type - This 1 Octet field identifies the type of IKE Identifier used by the egress PE IKE_LNG - This 2 Octet field indicates the length of the IKE Identifier. IKE Identifier - A variable length field containing an IKE Identifier of the egress PE. draft-nalawade-kapoor-tunnel-safi-04.txt [Page 7] Internet Draft draft-nalawade-kapoor-tunnel-safi-04.txt October 2005 If the Length field of the TLV contains a value greater than 11 Octets plus the value specified in the Key Length, the subsequent portion of the Value field contains one or more sub-TLVs as defined by [BGP-TUN]. 3.4. MPLS TLV The MPLS TLV has a Type 4. The value part of the MPLS TLV contains the following : - Preference (2 Octets) - Flags (1 Octet) The MPLS Tunnel Information TLV looks as follows : 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |T| Type = 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (2 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Preference (2 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | +-+-+-+-+-+-+-+-+ Length A 2 Octet field that specifies the length of the MPLS TLV in octets. Preference A 2 Octet field containing a Preference associated with the TLV. The Preference value indicates a preferred ordering of tunneling encapsulations according to the sender. The recipient of the information SHOULD take the sender's preference into account in selecting which encapsulation it will use. A higher value indicates a higher preference. Flags - A 1 Octet field containing flag-bits. 3.5. L2TPv3 in IPSEC TLV When the value in the Type field is 5, the Value portion of the SAFI-Specific Attribute TLV will carry an IPSec TLV followed by an L2TPv3 TLV. draft-nalawade-kapoor-tunnel-safi-04.txt [Page 8] Internet Draft draft-nalawade-kapoor-tunnel-safi-04.txt October 2005 3.5. mGRE in IPSEC TLV When the value in the Type field is 6, the Value portion of the SAFI-Specific Attribute TLV will carry an IPSec TLV followed by an mGRE TLV. 4. Capability Advertisement A BGP speaker MAY participate in the distribution of the IPv4-Tunnel SAFI or IPv6-Tunnel SAFI information. A BGP speaker that wishes to exchange the IPv4-Tunnel SAFI or the IPv6 Tunnel SAFI, MUST use the MP_EXT Capability Code as defined in [BGP-MP], to advertise the corresponding (AFI, SAFI) pair. 5. Operation A BGP Speaker that receives the Capability for the IPv4-Tunnel SAFI or the IPv6-Tunnel SAFI, MAY advertise the IPv4-Tunnel SAFI or IPv6- Tunnel SAFI prefixes to that peer. The BGP Tunnel Encapsulation attribute is defined only to be used in UPDATE messages for the IPv4 tunnel SAFI or the IPv6 Tunnel SAFI. If the BGP Tunnel Encapsulation Attribute is received in an UPDATE message for any other AFI/SAFI, it MUST be ignored. If a BGP Speaker receives an unrecognized Transitive Tunnel Encapsulation TLV as part of the BGP Tunnel Encapsulation Attribute, it MUST accept it and propagate it to other peers. 6. Deployment Considerations In order for the Tunnels to come up between two end-points, the BGP Speakers advertising the Tunnel end-points using the IPv4/IPv6 Tunnel SAFI, MUST exchange at least one common encapsulation option. 7. Applicability 7.1. IPSec Tunnels Applicability IPSec protection of IP routed packets requires the establishment of an IPSec proxy that specifies the source and destination range of addresses that require protection. The synchronization of the IPSec proxy and the viability of the path to the destination IP address range has been a persistent problem in the deploy of IPSec solutions. The IPSec proxy must be associated with an IKE end-point identifier. IPSec is inherently a tunneling protocol; however, it has no means of synchronizing the viability of the destination path in the IPSec proxy. One approach to synchronizing the IPSec proxy, the IKE end- draft-nalawade-kapoor-tunnel-safi-04.txt [Page 9] Internet Draft draft-nalawade-kapoor-tunnel-safi-04.txt October 2005 point and the path viability is to leverage BGP Tunnel SAFI. The BGP protocol provides a means of distributing the destination address range of the IPSec proxy via the NLRI. The IKE end-point identifier may be consistent with the BGP next-hop and may be specified by the TLVs in the BGP Tunnel Encapsulation Attribute [BGP-TUN] in the BGP tunnel SAFI. An IPSec end-point that receives a BGP announcement may qualify the update and use the NLRI prefix as the destination range in the IPSec proxy. The IPSec end-point may learn the remote peer's IKE identity that is defined by the next-hop attribute of the Tunnel SAFI. The route viability is Inherently conveyed via the BGP protocol. The combination of the traditional IP NLRI and the Tunnel NLRI allows IPSec to automatically establish the connection attributes required to protect IP traffic between the two end-points. 7.2. IP Tunnels Applicability Multiprotocol Label Switching (MPLS) VPN introduced a peer-to-peer model that enables large scale IP VPN implementations. Traditional MPLS VPNs rely on an MPLS transport network to implement this peer- to-peer model. the MPLS transport with an IP transport. VPN traffic is carried by an IP tunnel instead of an MPLS Label Switched Path (LSP). The VPN customer receives the same service experience regardless of the transport choice used by the service provider. MPLS VPN uses the same mechanisms for VPN route distribution regardless of the backbone transport choice (IP or MPLS). Customer edge (CE) devices exchange routing information with the provider edge (PE) devices using BGP or an Interior Gateway Protocol (IGP) protocol. This routing information is exchanged between PEs using Multi-Protocol BGP (MP-BGP). VPN routing information is carried by MP-BGP as VPNv4 addresses. As part of this VPN route exchange, PEs learn the nexthop (egress PE) and a VPN label to be associated with each VPN route. Before proper VPNv4 BGP next hop resolution can take place, each PE needs to know which other PEs (i.e. Tunnel endpoints) are reachable via the IP tunnel. The Tunnel SAFI update messages provide a means of distributing the Tunnel endpoint address as the NLRI in the Tunnel SAFI UPDATE. The Tunnel endpoint address should be consistent with the BGP next-hop in the VPNv4 update messages. This information is used to determine which IP tunnel needs to be used for which VPNv4 prefixes. In addition, each PE needs to know the tunnel attributes (used to define this tunnel) that other PEs expect, so VPN packets can be encapsulated appropriately. Manual configuration of this information draft-nalawade-kapoor-tunnel-safi-04.txt [Page 10] Internet Draft draft-nalawade-kapoor-tunnel-safi-04.txt October 2005 is not scalable, as the number of PEs increases. A PE that receives the Tunnel SAFI update may use the tunnel NLRI prefix and the tunnel attributes specified by the other end, and try and establish a tunnel to that endpoint. PEs take advantage of the existing MP-BGP infrastructure to distribute tunnel endpoint information. The Tunnel SAFI UPDATE message is used to signal tunnel attribute and endpoint information amongst PEs. And thus tunnel endpoint discovery is accomplished using MP-BGP updates. 8. Security Considerations This extension to BGP does not change the underlying security issues. 9. Acknowledgements We would like to thank Jim Guichard, Francois LeFaucher for their contribution. We would like to thank Arjun Sreekantiah, Shyam Suri, Chandrashekhar Appanna, John Scudder and Mark Townsley for their comments and suggestions. 10. References [IANA-AFI] http://www.iana.org/assignments/address-family-numbers [IANA-SAFI] http://www.iana.org/assignments/safi-namespace [BGP-4] Rekhter, Y. and T. Li (editors), "A Border Gateway Protocol 4 (BGP-4)", Internet Draft draft-ietf-idr-bgp4-26.txt, April 2005. [BGP-CAP] Chandra, R., Scudder, J., "Capabilities Advertisement with BGP-4", draft-ietf-idr-rfc2842bis-02.txt, April 2002. [BGP-TUN] Kapoor R., Nalawade G., "BGPv4 Tunnel Encapsulation Attribute", draft-nalawade-kapoor-idr-bgp-ssa-02.txt, work in progress. [MULTI-BGP] Bates et al, "Multiprotocol Extensions for BGP-4", draft- ietf-idr-rfc2858bis-02.txt, work in progress. 11. Authors' Addresses Gargi Nalawade Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134 mailto:gargi@cisco.com Ruchi Kapoor draft-nalawade-kapoor-tunnel-safi-04.txt [Page 11] Internet Draft draft-nalawade-kapoor-tunnel-safi-04.txt October 2005 Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134 mailto:ruchi@cisco.com Dan Tappan Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134 mailto:tappan@cisco.com Scott Wainner Cisco Systems, Inc 13600 Dulles Technology Drive Herndon, VA 20171 mailto:swainner@cisco.com 12. Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. draft-nalawade-kapoor-tunnel-safi-04.txt [Page 12] Internet Draft draft-nalawade-kapoor-tunnel-safi-04.txt October 2005 13. Full Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights." "This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 14. Expiration Date This memo is filed as , and expires April, 2006. draft-nalawade-kapoor-tunnel-safi-04.txt [Page 13]