180 likes | 368 Views
Tunnel SAFI draft-nalawade-kapoor-tunnel-safi-03.txt. SSA Attribute draft-kapoor-nalawade-idr-bgp-ssa-01.txt. Changes over previous version. draft-nalawade-kapoor-tunnel-safi-03.txt. 4 more TLVs specified MPLS IPSec GRE in IPSec L2TPv3 in IPSec
E N D
Tunnel SAFIdraft-nalawade-kapoor-tunnel-safi-03.txt SSA Attribute draft-kapoor-nalawade-idr-bgp-ssa-01.txt
draft-nalawade-kapoor-tunnel-safi-03.txt • 4 more TLVs specified • MPLS • IPSec • GRE in IPSec • L2TPv3 in IPSec • Specified application and operation of MPLS VPNs over IP Tunnels • Specified application and operation of MPLS VPNs over IPSec Tunnels
draft-kapoor-nalawade-idr-bgp-ssa-01.txt • Length portion of the TLVs clarified • Type field contains a Transitive bit that indicates the transitivity of a TLV • IETF feedback accepted and the attribute made specific for use by the Tunnel SAFI
draft-kapoor-nalawade-idr-bgp-ssa-01.txt • The SSA Attribute carries information about a given Tunnel in a set of one or more Tunnel TLVs • Each TLV carries a Tunnel capability and information • The Sender can express preference for a specific Tunnel type in each TLV • This addresses the case where a receiving PE may understand only a subset of the Tunnel Capabilities • Each TLV can be marked Transitive
Tunnel SAFI Applicability and Motivation
Tunnel SAFI Motivation • PE-PE Connectivity via MPLS LSP may not be viable (no label path) • Multicast VPN (awaiting MultiPoint-LSP models) • Transit via non-MPLS domains • Migrations between IP and MPLS • BGP VPN Auto-Discovery of L2VPN and L3VPN Tunnels • PE-PE Tunnels Preferred / Required • PE-PE Protection of IP Tunnel with IPSec
Multi-Point Tunnels ------- ------- | | | | | PE1 | | PE2 | | | | | --o-o-- ---o--- | || ||| | \| \ ----------------------------/ \ \/ MP-LSP MP-GRE / \ \ / -------------------------- \ | \ | || | | | | ---o--- --o-o-- | | | | | PE3 | | PE4| | | | | ------- ------- Two Tunnel Types: Multipoint LSP and Multipoint GRE -> PE1 and PE4 decision criteria must be defined PE1 PE2 PSN PE3 PE4
Hybrid Intra-AS ------ ------ | | | | | PE1 | | PE2 | -----> | | <----IPtunnel MPLS-----> | | | ---o--- | | ---o--- | | | | | | ........ v v ........ | . . . . | . . ------- ------- . . | . .--| | | |--. . IPtunnel . PSN . |ASBR1|---|ASBR2| . PSN . | . .--| | | |--. . | . . ------- ------- . . | . . . . | ........ o<- BGP+ ->o ........ || | ^ LABELS ^ | | --o-o-- | | ---o--- ----->| | <---MPLS MPLS----> | | |PE3 | | PE4 | || | | ------- ------- Two Tunnel Types at ASBR1 and PE3: -> ASBR1 needs to implement NULL-LSP to ASBR2, IPt to PE1, LSP to PE3 -> PE3 needs to distinguish LSP to ASBR1 and IPt to PE1 PE1 PE2 PSN PSN ASBR 1 ASBR 2 PE3 PE4
Extended AS via IP ------------- | | <----------IPt----------> | | | PE1 || PE2 | ----> | | <---MPLS IPv4 ---> | | | --o-o-- | | ---o--- | | | | | | | ........ v v ........ | . . . . | . . ------ ------ . . | . .--| | | |--. . MPLS . PSN . |ASBR|-----|ASBR| . INET . | . .--| | | |--. . | . . ------ ------ . . | . . . . | ........ O <- IPv4 -> o ........ | | | ^ ^ | | --o-o-- | | ---o--- |----> | | <--MPLS IPv4 ---> | | | PE3|| PE4 | | |<----------IPt----------> | | -------------- Two Tunnel Types: LSP Intra-domain, IPtunnel Inter-domain -> PE1 and PE3 must discern the tunnel type and tunnel endpoint for off net PE2 and PE4 PE1 PE2 PSN INET ASBR 1 ASBR 2 PE3 PE4
Extended Inter-AS via IP ------- ------- | | <---MPLS ---IPt---------->| | | PE1 | | | | PE2 | ----> | | | | IPv4 ---> | | | --o--- | | | ---o--- | | | | | | | | ........ v v v ........ | . . . . | . . ------- ------- . . | . .--| | | |--. . MPLS . PSN . |ASBR1|----|ASBR2| . INET . | . .--| | | |--. . | . . ------- ------- . . | . . . . | ....... o o<-IPv4-> o ........ | | | ^ ^ ^ | | ---o--- | | | ---o--- ----> | | | | IPv4 ---> | | | PE3 | | | | PE4 | | | <--MPLS ---IPt---------->| | ------- ------- Type Tunnel Types: LSP and IPtunnel -> ASBR1 must discern LSP for Intra-domain and IPt for Inter-domain PE1 ASBR3 PSN INET ASBR 1 ASBR 2 PE3 ASBR4
Tunneling Issues • Various Tunneling techniques between MPLS VPN PE • IPSec, LSP, MP-LSP, GRE, L2TPv3, IP, GRE+IPSec, … • Synchronization Issue • Egress PE doesn’t know the capabilities of the Ingress PE • Ingress PE confirmation of the egress PE’s tunneling capability state • Egress PE may have a subset of tunneling capabilities • Tunnel type may have unique attributes • Achieving this through manual configuration is impractical for scalable deployment
Tunneling Characteristics • Tunneling is a PE capability • Tunnel provides ‘connection’ to BGP Next Hop address • Tunnel end-point: • MAY be the BGP Next-Hop Network Address (Unicast) • An alternate Network Address (Unicast or Multicast)
Tunnel Advertisement Goals • VPN prefixes may have an affinity to a particular tunnel type (secured/non-secured) • Undesirable to Establish an IGP inside the Tunnel (the BGP Next Hop is directly reachable via the tunnel end-point) • Ingress PE may select an appropriate tunneling mechanism based on the following: • Tunnel end-point reachability • Egress PE capabilities • Egress PE preferences • Local preferences that may override the Egress PE preferences
Proposed Tunnel SAFI Attributes • Distribution of • Tunnel Capabilities • Tunnel Attributes • Tunnel Identifier • Shared Tunnel Demultiplexor • Tunnel Authentication Info (Keys, Cookies, IKE Identities) • Tunnel Preferences • Tunnel End-point Addresses • Etc.
Tunnel Capability Advertisement • MP-EXT Capability • Advertised IPv4 or IPv6 Tunnel Capability for a specific AFI/SAFI • BGP Next-hop Prefixes Advertised for Tunnel AFI/SAFI • BGP SSA Attributes (now specific to the Tunnel SAFI) advertised to the peer
Applicability • BGP Auto-Discovery (draft-ietf-l3vpn-bgpvpn-auto-06.txt): Minimal tunnel information in the VPN discovery process • PE-PE IPSec (draft-ietf-l3vpn-ipsec-2547-04.txt): Affinity of VRF to IPSec Tunnel Capability • 2547bis via GRE/IP (draft-ietf-l3vpn-gre-ip-2547-04): Dynamic Establishment of Tunnels • Multicast VPN (draft-ietf-l3vpn-2547bis-mcast-00.txt): MVPN Tunnels
Proposal • Accept as a Working Group Document