Network Working Group Eric C. Rosen Internet Draft Cisco Systems, Inc. Expiration Date: March 2004 September 2003 Protocol Actions for RFC2547bis draft-rosen-l3vpn-2547bis-protocol-00.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract The purpose of this document is to list all the protocol changes specified in [RFC2547bis] and related drafts which might be regarded to require approval or other action by IETF WGs other than the L3VPN WG. This document is for temporary administrative purposes only, and does not itself specify a protocol or an architecture. Rosen [Page 1] Internet Draft draft-rosen-l3vpn-2547bis-protocol-00.txt September 2003 Table of Contents 1 Introduction ........................................... 2 2 BGP Protocol Extensions ................................ 2 2.1 Required Extensions .................................... 2 2.2 Optional Extensions .................................... 3 3 OSPF Protocol Extensions ............................... 3 4 IPsec Considerations ................................... 3 5 Security Considerations ................................ 4 6 References ............................................. 4 1. Introduction The purpose of this document is to list all the protocol changes specified in [RFC2547bis] and related drafts which might be regarded to require approval or other action by IETF WGs other than the PPVPN WG. This document is for temporary administrative purposes only, and does not itself specify a protocol or an architecture. 2. BGP Protocol Extensions There are no BGP protocol extensions which require action by any IETF WG before [RFC2547bis] may be progressed to proposed standard. The remainder of this section lists the BGP protocol extensions that are used, and their status. 2.1. Required Extensions Required for the implementation of the VPN architecture specified in [RFC2547bis] are the following BGP extensions (to which [RFC2547bis] makes normative references): - "BGP Multiprotocol Extensions for BGP-4", RFC 2858 (Proposed Standard) - "BGP Extended Communities Attribute", draft-ietf-idr-bgp-ext- communities-05.txt (has passed WG Last Call, on Standards track) Rosen [Page 2] Internet Draft draft-rosen-l3vpn-2547bis-protocol-00.txt September 2003 - "Capabilities Advertisement with BGP-4", RFC 3392 (Draft Standard) [RFC2547bis] itself defines a new BGP address family, "VPN-IPv4 Labeled Addresses", but does so in accordance with procedures specified in RFC 2858. The AFI and SAFI are specified. [2547-IPv6] also defines a new BGP address family, "MPLS-labeled VPN-IPv6". 2.2. Optional Extensions The following BGP extensions (to which [RFC2547bis] makes NON- normative references) are optional for the VPN architecture specified in [RFC2547bis]: - Route Refresh Capability for BGP-4, RFC 2918 (Proposed Standard) - "Cooperative Route Filtering Capability for BGP-4", draft-ietf- idr-route-filter-06.txt (BGP working group document) 3. OSPF Protocol Extensions [RFC2547bis] does not itself specify the procedures used when OSPF is the PE/CE routing protocol. This is specified in the draft "OSPF as the PE/CE Protocol in BGP/MPLS VPNs", draft-ietf-l3vpn-ospf-2547- 00.txt [VPN-OSPF]. As [RFC2547bis] does not require the use of OSPF as the PE/CE routing protocol, [RFC2547bis]'s reference to [VPN-OSPF] is non-normative. [VPN-OSPF] does not requires a protocol change to OSPF. This protocol change is specified in draft-ietf-ospf-2547-dnbit-00.txt [OSPF-2547-DNBIT], a Working Group document of the OSPF working group, on the standards track. 4. IPsec Considerations In [2547-IPsec], procedures are defined to enable packets between PE routers to be encrypted and/or authenticated via IPsec. This is done by first creating an IP tunnel that beings at one PE router and ends at the other. The MPLS packets are placed in this IP tunnel. IPsec Transport Mode is then applied to the packets that enter and leave this tunnel. No changes to IPsec or its related protocols are specified or envisioned. However, the way in which IPsec is used might be considered "unusual" in the following respects: Rosen [Page 3] Internet Draft draft-rosen-l3vpn-2547bis-protocol-00.txt September 2003 - Transport mode is used, although the endpoints of the Security Association are not the ultimate source and destination of the packets. This is not thought to be an issue, though, because the endpoints of the SA ARE the source and destination of the IP packets to which IPsec is applied. - The egress PE is optionally allowed to exert policy control over the Security Association, and BGP may be optionally used to distribute policy information. The existence of policy control at the egress is a common industry practice, though some have argued that this is not what the IPsec specifications originally intended. - The set of packets sent on a particular Security Association is determined by routing, rather than by filtering on the packet header. While this is a common industry practice, some have argued that this is not a "proper" use of IPsec. In the opinion of the author, these are non-issues, but they are mentioned here in recognition of the fact that there may be other opinions. There are some additional considerations from [2547-IPsec]: - That document references [MPLS-in-IP/GRE], which is an MPLS working group document on the standards track. - Optional parts of that [2547-IPsec] require the definition of additional BGP Extended Communities. 5. Security Considerations As this document is for administrative purposes only, and specifies no architecture, protocols, procedures, or practices, it does not raise any security considerations. 6. References [2547-IPsec] Rosen, De Clercq, Paridaens, T'Joens, Sargor, "Use of PE-PE IPsec in RFC2547 VPNs", draft-ietf-l3vpn-ipsec-2547-01.txt, August 2003 [2547-IPv6] Nguyen, Gastaud, Ooms, De Clercq, Carugi, "BGP-MPLS VPN extension for IPv6 VPN over an IPv4 infrastructure", draft-ietf- l3vpn-bgp-ipv6-01.txt, August 2003 Rosen [Page 4] Internet Draft draft-rosen-l3vpn-2547bis-protocol-00.txt September 2003 [BGP-MP] Bates, Chandra, Katz, and Rekhter, "Multiprotocol Extensions for BGP4", June 2000, RFC 2858 [BGP-EXTCOMM] Sangli, Tappan, Rekhter, "BGP Extended Communities Attribute", draft-ietf-idr-bgp-ext-communities-06.txt, August 2003 [BGP-ORF] Chen, Rekhter, "Cooperative Route Filtering Capability for BGP-4", draft-ietf-idr-route-filter-09.txt, August 2003 [BGP-RFSH] Chen, "Route Refresh Capability for BGP-4", March 2000, RFC 2918 [MPLS-in-IP/GRE] Worster, Rekhter, Rosen, "Encapsulating MPLS in IP or GRE", draft-ietf- mpls-in-ip-or-gre-03.txt, September 2003 [RFC2547bis] Rosen, Rekhter, et. al., "BGP/MPLS IP VPNs", draft- ietf-l3vpn-rfc2547bis-00.txt, May 2003 [VPN-OSPF] Rosen, Psenak and Pillay-Esnault, "OSPF as the PE/CE Protocol in BGP/MPLS VPNs", draft-ietf-l3vpn-ospf-2547-00.txt, June 2003 [OSPF-2547-DNbit] Rosen, Psenak, and Pillay-Esnault, "Using an LSA Options Bit to Prevent Looping in BGP/MPLS IP VPNs", draft-ietf- ospf-2547-dnbit-00.txt, June 2003 Rosen [Page 5]