Note that this is an Experimental document.
Technical Summary
In BGP/MPLS IP Virtual Private Networks (VPNs), VPN data packets
traveling from one Provider Edge (PE) router to another generally
carry two MPLS labels, an "inner" label that corresponds to a VPN-
specific route, and an "outer" label that corresponds to a Label
Switched Path (LSP) between the PE routers. In some circumstances,
it is desirable to support the same type of VPN architecture, but
using an IPsec Security Association in place of that LSP. The
"outer" MPLS label would thus be replaced by an IP/IPsec header.
This enables the VPN packets to be carried securely over non-MPLS
networks, using standard IPsec authentication and/or encryption
functions to protect them. This draft specifies the procedures which
are specific to support of BGP/MPLS IP VPNs using the IPsec
encapsulation.
Protocol Quality
This spec was reviewed by Mark Townsley. The L3VPN chairs believe that
this has been deployed, if not widely.