Network Working Group Tissa Senevirathne Internet Draft Waldemar Augustyn Document: draft-tsenevir-wvpn-00.txt Category: Informational June 2002 Architecture and Framework for Wireless Virtual Private Networks (VPN) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. For potential updates to the above required-text see: http://www.ietf.org/ietf/1id-guidelines.txt 1. Abstract In this document we present Architecture and Framework for Wireless VPN services. The wireless VPN services discussed here focus on mobility users of GSM and 3G services. This document does not discuss Wireless LAN services provided by 802.11 standard. In this document wireless VPN services are presented as a VPN service with special requirements, underlying physical layer characteristics are considered out of scope. The purpose of the document is to initiate the discussion on WVPN with the possibility of expanding the PPVN charter to include WVPN. Senevirathne, Informational - December 2002 1 draft-tsenevir-wvpn-00.txt June 2002 RELATED DOCUMENTS Cited in the reference below WHERE DOES THIS FIT IN THE PICTURE OF SUB-IP AREA PPVPN WHY IS IT TARGETED AT THIS WG The charter of the PPVPN WG is centered around Provider Provisioned VPN. Wireless VPN services provided by service providers, are in theory Provider Provisioned VPN. The PPVPN charter may be eventually expanded to include WVPN as a specific WG item. JUSTIFICATION Wireless VPN is an emerging technology. WVPN has its own set of issues. The framework, architecture and requirements of WVPN needed to be addressed in order to ensure future interoperability of the service. This document is intended as a starting point of discussion on Wireless VPN. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [2]. 3. Introduction Wireless services are gaining popularity as a convenient alternative to more classical wired networks. There are two variants of wireless users; They are Local Area Network Wireless users and Mobility based wireless users (e.g. cell phone users). In this document we only discuss mobility based wireless services. Mobility based users access service provider networks via VPN services. The VPN services provided to mobility users are defined, in this document, as wireless VPN services. For mobility users, wireless VPN appears as provider provisioned VPN. However, Wireless VPN has different architecture, framework and requirements than classical, wire line, VPN services. In this document we present, wireless VPN architecture and framework. 4. Terminology WVPN - Wireless Virtual Private Networks Senevirathne Informational - December 2002 2 draft-tsenevir-wvpn-00.txt June 2002 MT - Mobile Terminal WVPN-G - WVPN Gateway WVPN-PE - WVPN Provider Edge device GPRS - General Packet Radio Services WAP - Wireless Access Protocol 6. Wireless VPN Architecture Requirements Wireless VPN services has significant similarities to more traditional wire line VPN services. However, it differs in two areas - degree of mobility of users and the architecture of service plane (as opposed to device wide service plane in wire line VPN). WVPN tend to have a network wide service plane. 6.1 Mobility user support WVPN users MAY migrate from one location to another. WPN service MUST support mobility of users. 6.2 Service preservation WPN service SHOULD not disrupt user sessions when users move from WPVN Gateway to another. Seamless migration of services from one WVPN Gateway to another is important to maintain end-to-end connectivity, and thus services. 6.3 Multiprotocol Support IPV6 is seen as the ultimate protocol in WVPN networks. However, due to large install base of IPV4 on the Internet, it will be a while until entire Internet becomes IPv6 (may be never). Hence, WVPN gateways SHOULD have ability to support both IPV6 and IPV4. 6.4 Quality of Services 3G wireless standard provides strong Quality of Service features. WVPN gateway nodes SHOULD have ability to support QoS features as required by the overlay wireless services. WVPN services MUST have ability to provide required QoS levels as user move from one WPN Gateway to another. 6.5 Service Plane WVPN services can be divided into two broad classes; Wireless access specific services and traditional Internet services. Some of these services MAY not required to be migrated with the users. With that requirements the service plane can be further classified to portal specific services and global services. Senevirathne Informational - December 2002 3 draft-tsenevir-wvpn-00.txt June 2002 WVPN service MUST maintain global services across mobile users' migration path. WVPN service SHOULD maintain portal services across mobile users' migration path. 6.6 Scalability WVPN gateways require having two different scalability matrixes. That is global scalability and portal scalability. Global scalability arises from the fact that, entire WVPN services require to support user mobility and hence need to share the information across WVPN devices. The global scalability provides an upper bound to the number of WVPN session that a given provider can maintain at one given time. Portal scalability is defined as the upper bound of the local device. It may further be divided to active upper bound and concurrent upper bound. Active upper bound indicates maximum number of active sessions the given device can maintain. Concurrent upper bound is upper bound of anticipated services due to user mobility, but users who are not connected yet. 6.7 Security In order to provide non-disruptive service over mobility, WVPN service is required to share the security and other information among WVPN Gateways. Such distribution of information MUST not compromise the security requirements specified by the standard of that protocol or service. Packet miss routing MUST not occur when user portal migrates from one WVPN gateway to another. 6.8 Access Wireless VPN use different tunnel protocols to forward packed data on voice circuits. General Packet Radio Services (GPRS) is commonly used to carry packets in GSM (Global System for Mobile Communications) networks. WVPN Gateways MUST support selected tunnel protocol. The exact protocol depends on the wireless service standard chosen. 6.9 Gateway Services Wireless VPN gateways MUST support Wireless Access Protocol (WAP) to HTTP gateways. Wireless Gateways SHOULD have ability to maintain the session integrity across WAP gateways when users migrate. 6.10 Topology WVPN Gateways MUST at minimum support hub and spoke topology. Support for other topology variations are optional. Senevirathne Informational - December 2002 4 draft-tsenevir-wvpn-00.txt June 2002 6.11 General Properties - Wireless VPN users require access to public/private networks. Hence wireless PE device is the gateway to the public networks - Wireless VPN users require secure access to the Wireless Provider Edge device. - Wireless VPN users are mobile, but require to be "always connected" irrespective of the mobility - Wireless PE devices require to provide extensive set of services. -------------------------------------- | | | Global Service Plane | | | -------------------------------------- -------- ---- ---------- ---- | | | | | | | WVPN-G |P-S | |WVPN-G |P-S | | | | | | | -------- ---- ---------- ---- | Access | | Access | -------- ---------- P-S - Portal Services WVPN-G - Wireless VPN gateways Access - Access specific services Fig: Service Model for Wireless VPN services Senevirathne Informational - December 2002 5 draft-tsenevir-wvpn-00.txt June 2002 4. Network Reference Model ---- -------- --- | |-.-.-.-.-.-| | |MT |-----|WVPN-PE |Service Node(s) --- | |------ | | ---- .-.- | .-| | | | -------- | / | ----_ | . | | MT |------ / ----------------------- ---- . | | / | Provider Core |===> Internet . | | ---- ----------------------- --- | | | |MT |-----|WVPN-PE | --- | |------ ---- | ----_ | | MT |------ ---- Fig: Wireless VPN Reference Model MT-WVPN-PE indicates a network. Most often this is the GPRS access network. Service Node is one or more nodes that provide required services. Some of the functionality may be integrated into WVPN-PE itself. Service Node is integral part of the Global service plane. It may also participate in the portal Service plane. 8. Security Considerations Related security issues are discussed above. 9. References 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 Senevirathne Informational - December 2002 6 draft-tsenevir-wvpn-00.txt June 2002 10. Acknowledgments Not provided 11. Author's Addresses Tissa Senevirathne 1567 Bellevile Way Sunnyvale , CA 94087 Phone:408-245-5897 Email: tsenevir@hotmail com Waldemar Augustyn waldemar@nxp.com Senevirathne Informational - December 2002 7 draft-tsenevir-wvpn-00.txt June 2002 Full Copyright Statement "Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implmentation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into Senevirathne Informational - December 2002 8