Network Working Group S. Shimizu INTERNET-DRAFT T. Kawano K. Murakami NTT Network Innovation Labs. E. Beier DeTe Systems July 2000 Expires: January 2001 MAPOS/PPP Tunneling mode (draft-shimizu-ppp-mapos-00.txt) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Distribution of this memo is unlimited. Please send comments to the authors and . Abstract This document specifies tunneling configuration over MAPOS networks. Using this mode, a MAPOS network can provide transparent point-to- point link for PPP over SONET/SDH (Packet over SONET/SDH, POS) without any additional overhead. 1. Introduction MAPOS [1] frame is designed to be similar to PPP over SONET/SDH (Packet over SONET/SDH, POS)[2][3] frame. This means that a MAPOS Shimizu, Kawano, Murakami & Beier [Page 1] INTERNET-DRAFT July 2000 network can easily carry POS frames with no additional header overhead. PPP tunneling configuration over MAPOS networks (MAPOS/PPP tunneling mode) provides an efficiant way of L2 multiplexing by which users can share the cost of high speed longhaul links. This document specifies MAPOS/PPP tunneling mode. In this mode, a MAPOS network provides a point-to-point link for those who intend to connect POS equipment. Such link is established within a MAPOS switch, or between a pair of MAPOS switches by rewriting POS header with MAPOS header for each L2 frame. Chapter 2 describes the specification in two parts. First part is user network interface (UNI) specification and the second part is operation, administration, management and provisioning (OAM&P) description. Other issues such as congestion avoidance, end-to-end fairness control are out of scope of this document. An example of service is given in Chapter 3. Some security issues are noted in Chapter 4. 2. MAPOS/PPP tunneling mode 2.1 Overview MAPOS/PPP tunneling mode is based on header rewriting. Figure 1. shows an example of MAPOS/PPP tunneling mode. The MAPOS network uses MAPOS 16 [6] in this example. Consider a tunneling path between customer premise equipment (CPE) A and CPE B which are industry standard POS equipment. Unique MAPOS addresses (0x0203 and 0x0403 respectively) are assigned to both of CPEs inside MAPOS switches. Usually these assignments are predetermined on per port basis. From CPE A to CPE B, ingress MAPOS switch A rewrites the first 2 octets of every frame from CPE A, which are fixed as 0xFF and 0x03, to the MAPOS address of its peer, which is 0x0403. Frames are forwarded by MAPOS network and arrives at the egress MAPOS switch B which rewrites the first 2 octets to their original values. Vice versa for packet from CPE B to CPE A. If MAPOS v1 [5] is used in the MAPOS network, only the first octet is rewritten. +-----+ POS/0x0203 +--------+ +--------+ |CPE A|<---------->|MAPOS | MAPOS |MAPOS |<--- +-----+ --->|switch A|------------------|switch |<--- +--------+\__ Networks __/+--------+ \__ __/ +--------+ +-|-----|-+ POS/0x0403 +-----+ --->|MAPOS |----|MAPOS |<---------->|CPE B| --->|switch | |switch B |<--- +-----+ +--------+ +---------+ Shimizu, Kawano, Murakami & Beier [Page 2] INTERNET-DRAFT July 2000 Figure 1. MAPOS/PPP tunneling mode The tunneling path between the two CPEs is managed by each ingress/egress MAPOS switches. 2.2 User-Network Interface(UNI) 2.2.1 Physical Layer For transport media between border MAPOS switch and CPE, SONET/SDH signal is utilized. Signal speed, path signal label, light power budget and all physical requirements are the same as PPP over SONET/SDH [2]. SONET/SDH overheads are terminated at the ingress/egress switches. This means, SONET/SDH performance monitors and alarms are used only for the link between CPE and the switch. Service provider should prepare high-reliable inter-switch link by using optically protected WDM equipment and/or SONET/SDH protected ring. A CPE should synchronize to the clock of the border MAPOS switch. The corresponding port of the MAPOS switch uses its internal clock. However, when the CPE is connected to the MAPOS switch through SONET/SDH network, both should synchronize to the clock of the SONET/SDH transmission equipment. 2.2.2 Link layer Link layer framing between CPE and MAPOS switch also follows the specification of PPP over SONET/SDH [2]. HDLC operation including byte stuffing, scrambling, FCS generation is terminated at the ingress/egress switch. In a MAPOS switch, HDLC frame [3] is picked up from a SONET/SDH payload and the first octet (HDLC address) for MAPOS v1 [1], and the first two octets (HDLC address and control field) for MAPOS 16 [6] are rewritten. The operation inside the border switch is as follows: From CPE (Ingress Switch receiving): SONET/SDH framing -> X^43+1 Descrambling -> Byte destuffing -> FCS detection (if error, silently discard) -> L2 HDLC address/control rewriting (0xFF -> MAPOS v1 destination address, or 0xFF03 -> MAPOS 16 destination address) -> MAPOS-FCS generation -> Byte stuffing -> X^43+1 Scrambling -> SONET/SDH framing Shimizu, Kawano, Murakami & Beier [Page 3] INTERNET-DRAFT July 2000 To CPE (Egress Switch transmitting): SONET/SDH framing -> X^43+1 Descrambling -> Byte destuffing -> MAPOS-FCS detection (if error, silently discard) -> L2 HDLC address/control rewriting (MAPOS v1 address -> 0xFF, or MAPOS 16 address -> 0xFF03) -> FCS generation -> Byte stuffing -> X^43+1 Scrambling -> SONET/SDH framing For STS-3c-SPE/VC-4, non-scrambled frame can be used for compatibility with RFC 1619. However, the use of 32bit-CRC and X^43+1 scrambling is recommended in RFC2615 [2] and for MAPOS networks. Maximum transmission unit (MTU) of the link must not be negotiated larger than MAPOS-MTU which is 65280 octets. Figure 2 shows a CPE-side L2 frame and the converted frame in the ingress/egress MAPOS switches. Note that the MAPOS/PPP tunneling mode is not a piggyback encapsulation, but it is a transparent link with no additional header overhead. +----------+----------+----------+----------+ | Flag | Address | Control | Protocol | | 01111110 | 11111111 | 00000011 | 16 bits | +----------+----------+----------+----------+ +-------------+---------+----------+----------+----------------- | Information | Padding | FCS | Flag | Inter-frame Fill | * | * |16/32 bits| 01111110 | or next Address +-------------+---------+----------+----------+----------------- (a) HDLC frame from/to CPE +----------+----------+----------+----------+ | Flag | MAPOS Destination | Protocol | | 01111110 | 0xxxxxx0 | xxxxxxx1 | 16 bits | +----------+----------+----------+----------+ +-------------+---------+----------+----------+----------------- | Information | Padding |MAPOS FCS | Flag | Inter-frame Fill | * | * |16/32 bits| 01111110 | or next Address +-------------+---------+----------+----------+----------------- (b) Converted MAPOS 16 frame, forwarded in MAPOS networks Figure 2. HDLC frame from/to CPE and its conversion 2.3 Operation, Administration, Management and Provisioning (OAM&P) Shimizu, Kawano, Murakami & Beier [Page 4] INTERNET-DRAFT July 2000 2.3.1 MAPOS port configuration When a port of MAPOS switch is configured to PPP tunneling mode, at least the following operations are performed in the switch. a) Disable NSP [9] and SSP [7] (for the port, same below) b) Disable MAPOS broadcast and multicast forwarding c) Enable header rewriting function d) Reset the Path Signal Label (C2) to 0x16 if X^43+1 scrambling is used. The value 0xCF is used for non-scrambled OC3c signal. e) Start host-route advertisement (see 2.3.2) When the port is configured back to MAPOS mode, reverse order of the operations above are performed. That means; a) Stop host-route advertisement (see 2.3.4) b) Reset the Path Signal Label (C2) to MAPOS default (0x8d) c) Disable header rewriting function d) Enable MAPOS broadcast and multicast forwarding e) Enable NSP [9] and SSP [7] 2.3.2 Path Establishment A MAPOS/PPP tunneling path is established by following steps. a) Choose MAPOS address pair on both ingress/egress switches and configure their ports to PPP tunneling mode. Switches enable their header rewriting process and start advertising host- route for the tunneling port. b) Wait for host-route exchange and its convergence. c) When the routes for both directions become stable, the tunneling path is established. The link between the CPEs may be set up at that moment; PPP LCP controls are transparently exchanged by the CPEs. To add a new path, operators should pick unused MAPOS address-pair. They may be determined simply by choosing switches and ports for each CPE, because there is one-to-one correspondence between MAPOS addresses and switch ports. Then, those ports should be configured to MAPOS/PPP tunneling mode on both of the switches. This triggers header rewriting and host- route advertising. Using triggered update of SSP [7], both switches will receive a route to each other. When the routes become stable, the path is established and frame forwarding is started. Until then, the link between border switches and CPE should be down. Shimizu, Kawano, Murakami & Beier [Page 5] INTERNET-DRAFT July 2000 A MAPOS/PPP tunneling path should be managed by the pair of MAPOS addresses. It should be carefully handled to avoid misconfiguration such as path duplication. For convenient management, path database can be used to keep information about pairs of MAPOS addresses. Note that the path database is not used for frame forwarding. It is for OAM&P use only. 2.3.3 Failure detection and indication When any link or node failure is detected, it should be indicated to each peer of the path. This is done by PPP keepalive (LCP Echo request/reply) for end-to-end detection. Consideration is required to handle SONET/SDH alarms. When a link between CPE and the MAPOS switch fails, it is detected by both the MAPOS switch and the CPE seeing SONET/SDH alarms. However, far-side link remains up and no SONET/SDH error is found; SONET/SDH alarms are not transferred to the far end because each optical path is terminated in MAPOS network. In this case, the far end will see 'link up, line protocol down' status because of keepalive expiration. For example, figure 3 shows a tunneling path. When link 1 goes down, MAPOS sw A and CPE A detects SONET/SDH alarms but MAPOS sw B and CPE A' do not see this failure. When PPP keepalive expires, CPE A' detects the failure and stops the packet transmission. The same mechanism is used for failure within the MAPOS cloud (link 2). When a MAPOS switch is down, SSP handles it as a topology change. 1 2 3 CPE A <-x-> MAPOS sw A ---(MAPOS cloud)--- MAPOS sw B <---> CPE A' Figure 3. Link failure 2.3.4 Path removal A MAPOS/PPP tunneling path is removed by following steps. a) Choose the path to remove, configure MAPOS switches on both ends of the path to disable the ports connected to the CPEs. b) Switches removes host-route entry of peer addresses and stops advertising host-route information. c) Wait for the host-route information to be cleard from the MAPOS network. Path database may be updated that the path is removed. Frames arriving after the destination port was disabled should be Shimizu, Kawano, Murakami & Beier [Page 6] INTERNET-DRAFT July 2000 silently discarded and should not be forwarded to the port. 2.3.5 Provisioning and Design Consideration Because MAPOS does not have any QoS control at its protocol level, and POS does not have flow-control feature, it is difficult to guarantee end-end throughput. Sufficient bandwidth for inter-switch link should be prepared to support all paths on the link. Switches are recommended to ensure per-port fairness using any appropriate queueing algorithm. This is especially important for over-subscribed configuration, for example to have more than 16 OC12c paths on one OC192c inter-switch link. Although MAPOS v1 [5] can be applied to the MAPOS/PPP tunneling mode, MAPOS 16 [6] is recommended for ease of address management. Automatic switch address negotiation mechanism is not suitable for the MAPOS/PPP tunneling mode, because the path management mechanism becomes much more complex. 3. Service example Figure 4 shows an example of MAPOS network with four switches. Inter-switch links are provided at OC192c or OC48c rate, customer links are either OC3c or OC12c rate. Some links are optically protected. Path Database (Path DB) is used for path management. Using MAPOS-netmask with 8 bits, this topology can be extended up to 64 MAPOS switches, each equipped with up to 127 CPE ports. Switch addresses are fixed to pre-assigned values. The cost of optical protection (< 50ms) can be shared among paths. Unprotected link can also be coupled for more redundancy in case of link failure. SSP provides restoration path within a few seconds. 0x2003+---------+ +---------+ 0x2203 A----->| MAPOS | OC192c(protected) | MAPOS |<-------A' 0x2005| Switch 1|=======================| Switch 2| 0x2205 B----->| 0x2000/8| _________| 0x2200/8|<-------C' +---------+ / +---------+ OC192c| / | / OC48c(backup) +---------+ / +---------+ 0x2603 | MAPOS |_________/ | MAPOS |<-------B' 0x2405| Switch 3|=======================| Switch 4| C----->| 0x2400/8| OC192c(protected) | 0x2600/8| +---------+ +---------+ Shimizu, Kawano, Murakami & Beier [Page 7] INTERNET-DRAFT July 2000 Path database entries: ----------------------------------------------------------- User : Speed : PPP mode : Addrs pair : Status ----------------------------------------------------------- A-A' : OC3c : CRC32, scramble : 0x2003-0x2203 : Up and running B-B' : OC12c : CRC32, scramble : 0x2005-0x2603 : B Down C-C' : OC3c : CRC16, no-scram : 0x2405-0x2205 : C' Down ... ----------------------------------------------------------- Figure 4. Example Topology and its Path Management 4. Security Consideration There is no way to control or attack a MAPOS network from CPE side under PPP tunneling mode. It is impossible to tap other stream because it is completely transparent from the viewpoint of PPP layer. However, operaters must carefully avoid misconfiguration such as path duplication. Per-path isolation is extremely important. In addition, potential vulnerability still exists in a mixed environment where PPP tunneling mode and MAPOS native mode coexists in the same network. Use of such environment is not recommended, until some filter (like VLAN mechanism) is implemented in all MAPOS switches in the network. Note that there is no source address field in the MAPOS framing. For example, each switch may have forwarding database on per-port basis. Traffic from a MAPOS node is not forwarded to any of the tunneling ports that are listed as host-route entries in the forwarding table. 5. Expiration This Internet Draft expires within 6 months from the date of submission. 6. References [1] Murakami, K., and Maruyama, M., "MAPOS - Multiple Access Protocol over SONET/SDH Version 1", RFC2171, June 1997. [2] Malis, A., and Simpson, W., "PPP over SONET/SDH", RFC2615, June 1999. Shimizu, Kawano, Murakami & Beier [Page 8] INTERNET-DRAFT July 2000 [3] Simpson, W., Editor, "PPP in HDLC-like Framing", STD 51, RFC 1662, Daydreamer, July 1994. [4] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD 51, RFC1661, Daydreamer, July 1994. [5] Murakami, K., and Maruyama, M., "MAPOS - Multiple Access Protocol over SONET/SDH Version 1", RFC2171, June 1997. [6] Murakami, K., and Maruyama, M., "MAPOS 16 - Multiple Access Protocol over SONET/SDH with 16 Bit Addressing", RFC2175, June 1997. [7] Murakami, K., and Maruyama, M., "A MAPOS version 1 Extension - Switch-Switch Protocol", RFC2174, June 1997. [8] Murakami, K. and M. Maruyama, "A MAPOS version 1 Extension - Node Switch Protocol," RFC-2173, June, 1997. 7. Acknowledgements The authors would like to acknowledge the contributions and thoughtful suggestions of Takahiro Sajima. 8. Author's Address Susumu Shimizu Tetsuo Kawano Ken Murakami NTT Network Innovation Laboratories, 3-9-11, Midori-cho Musashino-shi Tokyo 180-8585 Japan Phone: +81 422 59 3323 Fax: +81 422 59 3765 E-mail: shimizu@ntt-20.ecl.net E-mail: kawano@core.ecl.net E-mail: murakami@ntt-20.ecl.net Eddy Beier DeTe Systems Nuremberg, Germany E-mail: Beier@bina.de 9. Full Copyright Statement "Copyright (C) The Internet Society (2000). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise Shimizu, Kawano, Murakami & Beier [Page 9] INTERNET-DRAFT July 2000 explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Shimizu, Kawano, Murakami & Beier [Page 10]