Architecture for the Use of PE-PE IPsec Tunnels in BGP/MPLS IP VPNs

Document Type Expired Internet-Draft (l3vpn WG)
Author Eric Rosen 
Last updated 2015-10-14 (latest revision 2005-08-08)
Stream Internet Engineering Task Force (IETF)
Intended RFC status Experimental
Expired & archived
plain text pdf htmlized bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state Expired (IESG: Dead)
Action Holders
Consensus Boilerplate Unknown
Telechat date
Responsible AD Ross Callon
Send notices to,

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


In BGP/MPLS IP Virtual Private Networks (VPNs), VPN data packets traveling from one Provider Edge (PE) router to another generally carry two MPLS labels, an "inner" label that corresponds to a VPN- specific route, and an "outer" label that corresponds to a Label Switched Path (LSP) between the PE routers. In some circumstances, it is desirable to support the same type of VPN architecture, but using an IPsec Security Association in place of that LSP. The "outer" MPLS label would thus be replaced by an IP/IPsec header. This enables the VPN packets to be carried securely over non-MPLS networks, using standard IPsec authentication and/or encryption functions to protect them. This draft specifies the procedures which are specific to support of BGP/MPLS IP VPNs using the IPsec encapsulation.


Eric Rosen (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)