Network Working Group Eric C. Rosen Internet Draft Cisco Systems, Inc. Expiration Date: February 2003 August 2002 Protocol Actions for RFC2547bis draft-rosen-ppvpn-2547bis-protocol-01.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract The purpose of this document is to list all the protocol changes specified in [rfc2547bis] and related drafts which might be regarded to require approval or other action by IETF WGs other than the PPVPN WG. This document is for temporary administrative purposes only, and does not itself specify a protocol or an architecture. Rosen [Page 1] Internet Draft draft-rosen-ppvpn-2547bis-protocol-01.txt August 2002 Table of Contents 1 Introduction ........................................... 2 2 BGP Protocol Extensions ................................ 2 2.1 Required Extensions .................................... 2 2.2 Optional Extensions .................................... 3 3 OSPF Protocol Extensions ............................... 3 4 IPsec Considerations ................................... 4 5 Multicast Considerations ............................... 5 6 Security Considerations ................................ 5 7 References ............................................. 5 1. Introduction The purpose of this document is to list all the protocol changes specified in [RFC2547bis] and related drafts which might be regarded to require approval or other action by IETF WGs other than the PPVPN WG. This document is for temporary administrative purposes only, and does not itself specify a protocol or an architecture. 2. BGP Protocol Extensions There are no BGP protocol extensions which require action by any IETF WG before [RFC2547bis] may be progressed to proposed standard. The remainder of this section lists the BGP protocol extensions that are used, and their status. 2.1. Required Extensions Required for the implementation of the VPN architecture specified in [RFC2547bis] are the following BGP extensions (to which [RFC2547bis] makes normative references): - "BGP Multiprotocol Extensions for BGP-4", RFC 2858 (Proposed Standard) - "BGP Extended Communities Attribute", draft-ietf-idr-bgp-ext- communities-05.txt (has passed WG Last Call, on Standards track) Rosen [Page 2] Internet Draft draft-rosen-ppvpn-2547bis-protocol-01.txt August 2002 - "Capabilities Advertisement with BGP-4", RFC 2842 (Proposed Standard) [RFC2547bis] itself defines a new BGP address family, "VPN-IPv4 Labeled Addresses", but does so in accordance with procedures specified in RFC 2858. [2547-IPv6] also defines a new BGP address family, "MPLS-labeled VPN-IPv6". 2.2. Optional Extensions The following BGP extensions (to which [RFC2547bis] makes NON- normative references) are optional for the VPN architecture specified in [RFC2547bis]: - Route Refresh Capability for BGP-4, RFC 2918 (Proposed Standard) - "Cooperative Route Filtering Capability for BGP-4", draft-ietf- idr-route-filter-06.txt (BGP working group document) 3. OSPF Protocol Extensions [RFC2547bis] does not itself specify the procedures used when OSPF is the PE/CE routing protocol. This is largely specified in the draft "OSPF as the PE/CE Protocol in BGP/MPLS VPNs", draft-rosen-vpns- ospf-bgp-mpls-04.txt [VPN-OSPF]. As [RFC2547bis] does not require the use of OSPF as the PE/CE routing protocol, [RFC2547bis]'s reference to [VPN-OSPF] is non-normative. [VPN-OSPF] does not require any protocol changes which require action by any IETF WG. However, [VPN-OSPF] does not specify procedures for handling the case where the PE/CE link is an Area 0 link. This is specified in a separate draft, [VPN-OSPF-Area0]. Since [VPN-OSPF] does not require support for the case where the PE/CE link is an Area 0 link, any reference from it to [VPN-OSPF-Area0] would be non- normative. [VPN-OSPF-Area0] does require an extension to the OSPF protocol. In particular, it assigns a use for one of the hitherto unused OSPF Options bits. This does require approval by an IETF WG. Rosen [Page 3] Internet Draft draft-rosen-ppvpn-2547bis-protocol-01.txt August 2002 4. IPsec Considerations In [2547-IPsec], procedures are defined to enable packets between PE routers to be encrypted and/or authenticated via IPsec. This is done by first creating an IP tunnel that beings at one PE router and ends at the other. The MPLS packets are placed in this IP tunnel. IPsec Transport Mode is then applied to the packets that enter and leave this tunnel. No changes to IPsec or its related protocols are specified or envisioned. However, the way in which IPsec is used might be considered "unusual" in the following respects: - Transport mode is used, although the endpoints of the Security Association are not the ultimate source and destination of the packets. This is not thought to be an issue, though, because the endpoints of the SA ARE the source and destination of the IP packets to which IPsec is applied. - The egress PE is optionally allowed to exert policy control over the Security Association, and BGP may be optionally used to distribute policy information. The existence of policy control at the egress is a common industry practice, though some have argued that this is not what the IPsec specifications originally intended. - The set of packets sent on a particular Security Association is determined by routing, rather than by filtering on the packet header. While this is a common industry practice, some have argued that this is not a "proper" use of IPsec. In the opinion of the author, these are non-issues, but they are mentioned here in recognition of the fact that there may be other opinions. There are some additional considerations from [2547-IPsec]: - That document references [MPLS-in-IP/GRE], which is being proposed to the MPLS WG, but is not yet a working group document. Arguably the reference is non-normative. - Optional parts of that [2547-IPsec] require the definition of additional BGP Extended Communities. Rosen [Page 4] Internet Draft draft-rosen-ppvpn-2547bis-protocol-01.txt August 2002 5. Multicast Considerations This section is deferred to a later revision. 6. Security Considerations As this document is for administrative purposes only, and specifies no architecture, protocols, procedures, or practices, it does not raise any security considerations. 7. References [2547-IPsec] Rosen, De Clercq, Paridaens, T'Joens, Sargor, "Use of PE-PE IPsec in RFC2547 VPNs", draft-ietf-ppvpn-ipsec-2547-01.txt, February 2002 [2547-IPv6] Nguyen, Gastaud, Ooms, De Clercq, Carugi, "BGP-MPLS VPN extension for IPv6 VPN over an IPv4 infrastructure", draft-ietf- ppvpn-bgp-ipv6-vpn-02.txt, May 2002 [BGP-MP] Bates, Chandra, Katz, and Rekhter, "Multiprotocol Extensions for BGP4", June 2000, RFC 2858 [BGP-EXTCOMM] Ramachandra, Tappan, "BGP Extended Communities Attribute", draft-ietf-idr-bgp-ext-communities-05.txt, May 2002 [BGP-ORF] Chen, Rekhter, "Cooperative Route Filtering Capability for BGP-4", draft-ietf-idr-route-filter-06.txt, May 2002 [BGP-RFSH] Chen, "Route Refresh Capability for BGP-4", March 2000, RFC 2918 [MPLS-in-IP/GRE] "Encapsulating MPLS in IP or GRE", draft-rosen- mpls-in-ip-or-gre-00.txt, August 2002 [RFC2547bis] Rosen, Rekhter, et. al., "BGP/MPLS VPNs", draft-ietf- ppvpn-r4fc2547bis-01.txt, January 2002 [VPN-OSPF] Rosen, Psenak and Pillay-Esnault, "OSPF as the PE/CE Protocol in BGP/MPLS VPNs", draft-rosen-vpns-ospf-bgp-mpls-04.txt, January 2002 [VPN-OSPF-Area0] Rosen, Psenak, and Pillay-Esnault, "OSPF Area 0 PE/CE Links in BGP/MPLS VPNs", draft-rosen-ppvpn-ospf2547-area0- 00.txt, January 2002 Rosen [Page 5] Internet Draft draft-rosen-ppvpn-2547bis-protocol-01.txt August 2002 Rosen [Page 6]