Network Working Group Eric C. Rosen
Internet Draft Cisco Systems, Inc.
Expiration Date: March 2004
September 2003
Protocol Actions for RFC2547bis
draft-rosen-l3vpn-2547bis-protocol-00.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
The purpose of this document is to list all the protocol changes
specified in [RFC2547bis] and related drafts which might be regarded
to require approval or other action by IETF WGs other than the L3VPN
WG. This document is for temporary administrative purposes only, and
does not itself specify a protocol or an architecture.
Rosen [Page 1]
�
Internet Draft draft-rosen-l3vpn-2547bis-protocol-00.txt September 2003
Table of Contents
1 Introduction ........................................... 2
2 BGP Protocol Extensions ................................ 2
2.1 Required Extensions .................................... 2
2.2 Optional Extensions .................................... 3
3 OSPF Protocol Extensions ............................... 3
4 IPsec Considerations ................................... 3
5 Security Considerations ................................ 4
6 References ............................................. 4
1. Introduction
The purpose of this document is to list all the protocol changes
specified in [RFC2547bis] and related drafts which might be regarded
to require approval or other action by IETF WGs other than the PPVPN
WG. This document is for temporary administrative purposes only, and
does not itself specify a protocol or an architecture.
2. BGP Protocol Extensions
There are no BGP protocol extensions which require action by any IETF
WG before [RFC2547bis] may be progressed to proposed standard. The
remainder of this section lists the BGP protocol extensions that are
used, and their status.
2.1. Required Extensions
Required for the implementation of the VPN architecture specified in
[RFC2547bis] are the following BGP extensions (to which [RFC2547bis]
makes normative references):
- "BGP Multiprotocol Extensions for BGP-4", RFC 2858 (Proposed
Standard)
- "BGP Extended Communities Attribute", draft-ietf-idr-bgp-ext-
communities-05.txt (has passed WG Last Call, on Standards track)
Rosen [Page 2]
�
Internet Draft draft-rosen-l3vpn-2547bis-protocol-00.txt September 2003
- "Capabilities Advertisement with BGP-4", RFC 3392 (Draft
Standard)
[RFC2547bis] itself defines a new BGP address family, "VPN-IPv4
Labeled Addresses", but does so in accordance with procedures
specified in RFC 2858. The AFI and SAFI are specified. [2547-IPv6]
also defines a new BGP address family, "MPLS-labeled VPN-IPv6".
2.2. Optional Extensions
The following BGP extensions (to which [RFC2547bis] makes NON-
normative references) are optional for the VPN architecture specified
in [RFC2547bis]:
- Route Refresh Capability for BGP-4, RFC 2918 (Proposed Standard)
- "Cooperative Route Filtering Capability for BGP-4", draft-ietf-
idr-route-filter-06.txt (BGP working group document)
3. OSPF Protocol Extensions
[RFC2547bis] does not itself specify the procedures used when OSPF is
the PE/CE routing protocol. This is specified in the draft "OSPF as
the PE/CE Protocol in BGP/MPLS VPNs", draft-ietf-l3vpn-ospf-2547-
00.txt [VPN-OSPF]. As [RFC2547bis] does not require the use of OSPF
as the PE/CE routing protocol, [RFC2547bis]'s reference to [VPN-OSPF]
is non-normative.
[VPN-OSPF] does not requires a protocol change to OSPF. This
protocol change is specified in draft-ietf-ospf-2547-dnbit-00.txt
[OSPF-2547-DNBIT], a Working Group document of the OSPF working
group, on the standards track.
4. IPsec Considerations
In [2547-IPsec], procedures are defined to enable packets between PE
routers to be encrypted and/or authenticated via IPsec. This is done
by first creating an IP tunnel that beings at one PE router and ends
at the other. The MPLS packets are placed in this IP tunnel. IPsec
Transport Mode is then applied to the packets that enter and leave
this tunnel. No changes to IPsec or its related protocols are
specified or envisioned. However, the way in which IPsec is used
might be considered "unusual" in the following respects:
Rosen [Page 3]
�
Internet Draft draft-rosen-l3vpn-2547bis-protocol-00.txt September 2003
- Transport mode is used, although the endpoints of the Security
Association are not the ultimate source and destination of the
packets. This is not thought to be an issue, though, because the
endpoints of the SA ARE the source and destination of the IP
packets to which IPsec is applied.
- The egress PE is optionally allowed to exert policy control over
the Security Association, and BGP may be optionally used to
distribute policy information. The existence of policy control
at the egress is a common industry practice, though some have
argued that this is not what the IPsec specifications originally
intended.
- The set of packets sent on a particular Security Association is
determined by routing, rather than by filtering on the packet
header. While this is a common industry practice, some have
argued that this is not a "proper" use of IPsec.
In the opinion of the author, these are non-issues, but they are
mentioned here in recognition of the fact that there may be other
opinions.
There are some additional considerations from [2547-IPsec]:
- That document references [MPLS-in-IP/GRE], which is an MPLS
working group document on the standards track.
- Optional parts of that [2547-IPsec] require the definition of
additional BGP Extended Communities.
5. Security Considerations
As this document is for administrative purposes only, and specifies
no architecture, protocols, procedures, or practices, it does not
raise any security considerations.
6. References
[2547-IPsec] Rosen, De Clercq, Paridaens, T'Joens, Sargor, "Use of
PE-PE IPsec in RFC2547 VPNs", draft-ietf-l3vpn-ipsec-2547-01.txt,
August 2003
[2547-IPv6] Nguyen, Gastaud, Ooms, De Clercq, Carugi, "BGP-MPLS VPN
extension for IPv6 VPN over an IPv4 infrastructure", draft-ietf-
l3vpn-bgp-ipv6-01.txt, August 2003
Rosen [Page 4]
�
Internet Draft draft-rosen-l3vpn-2547bis-protocol-00.txt September 2003
[BGP-MP] Bates, Chandra, Katz, and Rekhter, "Multiprotocol Extensions
for BGP4", June 2000, RFC 2858
[BGP-EXTCOMM] Sangli, Tappan, Rekhter, "BGP Extended Communities
Attribute", draft-ietf-idr-bgp-ext-communities-06.txt, August 2003
[BGP-ORF] Chen, Rekhter, "Cooperative Route Filtering Capability for
BGP-4", draft-ietf-idr-route-filter-09.txt, August 2003
[BGP-RFSH] Chen, "Route Refresh Capability for BGP-4", March 2000,
RFC 2918
[MPLS-in-IP/GRE] Worster, Rekhter, Rosen, "Encapsulating MPLS in IP
or GRE", draft-ietf- mpls-in-ip-or-gre-03.txt, September 2003
[RFC2547bis] Rosen, Rekhter, et. al., "BGP/MPLS IP VPNs", draft-
ietf-l3vpn-rfc2547bis-00.txt, May 2003
[VPN-OSPF] Rosen, Psenak and Pillay-Esnault, "OSPF as the PE/CE
Protocol in BGP/MPLS VPNs", draft-ietf-l3vpn-ospf-2547-00.txt, June
2003
[OSPF-2547-DNbit] Rosen, Psenak, and Pillay-Esnault, "Using an LSA
Options Bit to Prevent Looping in BGP/MPLS IP VPNs", draft-ietf-
ospf-2547-dnbit-00.txt, June 2003
Rosen [Page 5]