Network Working Group                                       M. Duffy
   Internet Draft                                   Quarry Technologies
   Expires: April 2003                                     October 2002



          Framework for IPsec Protected Virtual Links for PPVPNs

                   draft-duffy-ppvpn-ipsec-vlink-00.txt


Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress/"

   The list of current Internet-Drafts can be accessed at
        http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
        http://www.ietf.org/shadow.html.



Abstract

   This memo explores some choices that arise when IPsec is to be used
   to implement secure "virtual links" interconnecting customer premises
   VPN devices and/or network based virtual routers.  The main focus is
   on the network based cases.

   Requirements are proposed and some relevant aspects of the IPsec
   protocol suite are discussed.  A number of different protocol
   architectures for virtual links are then evaluated.

   This memo is informational in nature; it is intended that it will
   focus discussion toward a standard in this area.




Duffy                    Expires - April 2003                 [Page 1]


Internet Draft      IPsec Protected Virtual Links         October 2002


Table of Contents

   1. Introduction...................................................2
   2. Terminology Used in This Document..............................3
   3. Virtual Link Objectives........................................3
   4. Protocol Functions Needed to Implement Virtual Links...........4
   5. IPsec Considerations...........................................5
      5.1 Tunnel Mode vs. Transport Mode.............................5
      5.2 The Security Policy Database (SPD).........................5
      5.3 VPN Context Correlation....................................7
   6. Some Possible Protocol Architectures...........................8
      6.1 Tunnel Mode SA as Virtual Link.............................8
      6.2 Shared IP-in-IP Tunnel with Transport Mode IPsec...........9
      6.3 Distinct IP-in-IP Tunnel with Transport Mode IPsec.........9
      6.4 GRE Tunnel with Transport Mode IPsec......................10
      6.5 MPLS Tunnel with Transport Mode IPsec.....................11
      6.6 L2TP with Transport Mode IPsec............................11
   7. Recommendation................................................12
   8. Security Considerations.......................................12
   9. References....................................................13
      9.1 Normative References......................................13
      9.2 Informative References....................................13
   10. Summary for Sub-IP Related Internet Drafts...................14
   Author's Addresses...............................................14
   Full Copyright Statement.........................................14


1. Introduction

   A number of different technologies have been identified for
   implementing Provider Provisioned Virtual Private Networks (PPVPNs).
   Among the options for providing VPN services at layer 3 are virtual
   router based VPNs, CE-based IPsec VPNs, and BGP/MPLS VPNs.  All three
   types can capitalize on the creation of IPsec-protected virtual links
   between VPN-aware nodes at the edge of the network (either PE or CE
   based).  Both the virtual router approach and the dynamically routed
   flavor of CE-based IPsec approach require a virtual link mechanism,
   while the reach of BGP/MPLS VPNs can be extended by using virtual
   links to include remote sites.

   Although all these VPN types can use virtual links that carry IP
   packets across an IP network the VR-based L3 VPN overlay environment
   [VR-VPN] is the most demanding in terms of a solution.  This is
   because the VR approach requires a virtual link solution that
   simultaneously supports multiple links for multiple contexts, between
   a given pair of devices.




Duffy                    Expires - April 2003                 [Page 2]


Internet Draft      IPsec Protected Virtual Links         October 2002


   A number of drafts have been published dealing with the CE-CE case
   but there has not been much discussion of the VR (multi-context)
   case.

   This memo assumes some familiarity with the IPsec protocol suite
   including [IPSEC] and [IKE].

   The principal content of this memo is organized as follows:  Section
   3 lists some desirable properties of a virtual link mechanism.
   Section 4 describes protocol functions a virtual link system must
   perform.  Section 5 explains some aspects of IPsec that must be
   considered in using IPsec as a component of a secure virtual link
   solution.  Section 6 presents and evaluates a number of potential
   protocol architectures.


2. Terminology Used in This Document

   CE:                   Customer Edge router
   PE:                   Provider Edge router
   Tunnel ingress node:  A system or device that transmits packets
                         into a tunnel
   Tunnel egress node:   A system or device that receives packets from
                         a tunnel
   Tunnel endpoint:      Either a tunnel ingress node or a tunnel
                         egress node


3. Virtual Link Objectives

   For purposes of this memo we define a virtual link as a construct
   that provides a point-to-point link layer service implemented over an
   IP network.  Each end of a virtual link terminates as an IP interface
   of a router or virtual router (VR), which may form routing
   adjacencies and forward IP packets over the link.

   The following are viewed as important properties for virtual links:

     -  Support multiple independent virtual links between a given pair
   of systems (e.g. PE devices) serving different contexts (e.g.
   different VR pairs).

     -  Provide IPsec security services for each virtual link including
   integrity, data origin authentication, protection against replays,
   and confidentiality.

     -  Provide a choice of using IPsec or not, with per-VPN-context and
   per-remote-PE granularity.


Duffy                    Expires - April 2003                 [Page 3]


Internet Draft      IPsec Protected Virtual Links         October 2002



     -  Support interoperation of network-based (PE-based) virtual
   routers with Provider Provisioned CE based IPsec VPN devices.

     -  Operate in systems that simultaneously use IPsec for other
   purposes.

     -  Require no new protocol development and minimum extensions to
   existing protocols.


4. Protocol Functions Needed to Implement Virtual Links

   Virtual links are implemented using tunneling technologies.  A
   tunnel, by means of encapsulation, provides isolation for packets
   sent through it.  It thus allows packets to traverse domains they
   could perhaps not traverse natively, or to be delivered to
   intermediate destinations not implied by their destination addresses.

   Besides encapsulation, tunneling for virtual links requires:

     -  Multiplexing.  The ability to support and distinguish multiple
   logical streams of data within a tunnel and/or the ability to support
   and distinguish multiple tunnels between a pair of tunnel endpoints.
   In fact, the two abilities are logically equivalent and differ only
   by which entity one applies the term "tunnel" to.  In the remainder
   of this document we shall use the word tunnel in the latter sense
   i.e. a tunnel carries packets for one VPN context but there may be
   multiple tunnels between a given pair of tunnel endpoints.

     -  Tunnel management (setup/maintenance/teardown) signalling.  This
   allows the tunnel endpoints to be explicitly aware of whether a
   particular tunnel is present or not and perhaps whether it has
   connectivity (liveliness).  In cases where the tunnel mechanism
   itself does not provide liveliness detection, dynamic routing
   protocols, if used, can provide this function.

     -  VPN context correlation.  The ability to determine, at the
   tunnel egress node, what application and context each received packet
   is intended for.  The term "application" here refers to any one of
   perhaps several functional areas in the node that use tunnels, e.g.
   virtual link, IPsec security gateway, etc.  The "context," for the
   virtual link application, is a particular VPN i.e. as identified by a
   [VPN-ID].  Correlation may be done packet by packet in a
   connectionless manner, however this is likely to impose a high
   overhead cost.  An alternative, available with connection-oriented
   tunneling technologies, is to establish the correlation on a per-
   tunnel basis at tunnel setup time, binding the context identification


Duffy                    Expires - April 2003                 [Page 4]


Internet Draft      IPsec Protected Virtual Links         October 2002


   to a more compact multiplexing field that is transmitted on a per-
   packet basis.

   Support for Path MTU Discovery and for Quality of Service (QoS) on
   virtual links are important but are not considered in this memo.
   Reliable or in-order delivery are not required.


5. IPsec Considerations

   This section explores a number of choices and issues that must be
   addressed to use IPsec for virtual links.  Although these are
   separate issues they interrelate heavily with one another.

5.1 Tunnel Mode vs. Transport Mode

   IPsec may be used in two different encapsulation modes:  IPsec tunnel
   mode provides in-IP tunneling as a package deal with the security
   protocol.  IPsec transport mode does not provide tunneling.  In a
   virtual link application, IPsec transport mode is of necessity used
   in conjunction with some other in-IP tunneling protocol for an
   overall solution.

   At first glance tunnel mode seems attractive because it appears to be
   a one stop shop providing encapsulation, multiplexing, and (via IKE)
   explicit tunnel management.  However, there are difficulties with the
   semantics of the security policy and with VPN context correlation, as
   described in the following subsections.

   Decoupling tunneling and IPsec and providing them independently
   yields greater modularity, generally recognized as a Good Thing.
   Keeping tunneling and IPsec separate also allows for selective use of
   IPsec since the needed virtual link functions of encapsulation,
   multiplexing, tunnel management, and correlation are provided
   separately and there is no reliance on IPsec for these services.

5.2 The Security Policy Database (SPD)

   IPsec uses the IKE protocol to negotiate Security Associations (SAs)
   and their keying.  A fundamental aspect of this is the Quick Mode
   negotiation, via Client IDs, of the access control policy (packet
   selectors) for each IPsec SA.  IPsec devices base this negotiation on
   their provisioned Security Policy Databases (SPDs).  A nominally
   separate SPD exists for each interface on which IPsec is to run.

   The access control policy is one of the basic security services
   provided by IPsec.  It is packet classification against this policy
   that controls which packets are sent on, or must be received on, a


Duffy                    Expires - April 2003                 [Page 5]


Internet Draft      IPsec Protected Virtual Links         October 2002


   given SA.  By contrast, when using virtual links, we generally want
   to use a routing decision to determine which packets are sent on a
   given virtual link, and we generally don't require validation that
   packets were received from a "correct" link.  In a sense, we want a
   service that is like link-level encryption (, authentication, etc.)
   for the virtual link.  Thus, we have a mismatch between the way IPsec
   works and the way we want virtual links to work.  The nature and
   extent of this mismatch depends in large part of the relationship
   between IPsec SAs and virtual links:  *Is* a tunnel mode SA the
   virtual link, or does the virtual link have an existence of its own
   to which transport mode IPsec may be applied?

5.2.1 Tunnel Mode IPsec and the SPD

   If IPsec tunnel mode is used to implement a virtual link we would
   expect the negotiated selectors to apply to the headers of the "inner
   packets" e.g. the packets of the VPN.  Generally, these packets will
   be assigned to virtual links based on dynamic routing state and
   therefore the set of packets to be sent over a particular virtual
   link are not known a priori.  From the point of view of IPsec policy,
   this is essentially an arbitrary set of packets.  What is needed then
   is an SA that will carry any packets -- an SA whose selectors are all
   wildcards.  However, when multiple virtual links are required between
   the same pair of tunnel endpoints (e.g. for multiple VPN contexts)
   multiple SAs with the same wildcard client IDs must be negotiated.
   Classic IPsec will not generally negotiate multiple SAs out of a
   given SPD, those SAs having the same client IDs, since in the classic
   case it has no way to determine which to use for a given outgoing
   packet.  Resolving this requires a slightly liberal interpretation of
   IPsec, to have an SPD per virtual interface.  Unfortunately, it then
   becomes problematic for the IKE responder to determine which SPD to
   evaluate an incoming proposal against; this is discussed in section
   5.3.

5.2.2 Transport Mode IPsec and the SPD

   If another protocol is used to implement the tunnels, with IPsec
   applied in transport mode, we have essentially positioned the routing
   and tunneling a layer above IPsec.  In this case then the negotiated
   IPsec selectors might reasonably be expected to apply to the packet
   headers of the "outer packets" of the tunnel e.g. the GRE, L2TP, IP-
   in-IP, etc. packets.  The selectors match the endpoint addresses of
   the tunnel and the tunnel protocol.  There is no need to create
   multiple SAs with the same client IDs, and no need for an SPD per
   virtual interface.

   This would seem to be a better match with the access control
   functions of IPsec.  However, if IPsec is controlled solely by


Duffy                    Expires - April 2003                 [Page 6]


Internet Draft      IPsec Protected Virtual Links         October 2002


   evaluating SPD policy against already-encapsulated packets, it cannot
   provide much in the way of differentiated protection.  In particular,
   if the tunneling mechanism used is such that all tunnels between a
   pair of systems have the same outer addresses, protocol, and ports,
   then we cannot use the SPD to meet the goal of selecting IPsec on a
   per-VPN basis.

5.2.3 A Hybrid Transport Mode Approach

   Another possibility is to use a separate tunneling protocol with
   transport mode IPsec, but negotiate and apply IPsec policy on the
   "inner" packets.  This opens the possibility for a richer range of
   differentiated protection than the basic transport mode approach (in
   which the selectors of packets in the tunnel are invariant).
   However, this requires a very liberal interpretation of IPsec.  As
   such, it may be difficult to implement in some environments and it
   may engender strong objections from the IPsec community.

5.3 VPN Context Correlation

   For a system that is maintaining multiple contexts (e.g. multiple
   virtual routers) and which may therefore maintain multiple virtual
   links to a given remote system, it is essential that there be a way
   to determine at the downstream end which links are for which
   contexts.  In the cases where IPsec SAs are used to multiplex the
   virtual links this implies a need to determine which of potentially
   multiple IPsec applications in the system (e.g. Security Gateway
   service, IPsec-protected virtual links, etc.) a given SA is for.  For
   those SAs intended for virtual links, it is further necessary to
   associate them with the correct VPN context.

   Several recent Internet-Drafts ([CE-VPN], [TOUCH], [KNIGHT]) have
   discussed this area but they are all focused on the CE-based VPN case
   and do not address the multiplexing of multiple contexts between a
   pair of PE devices.  They do address the question of determining
   whether an SA is for a virtual link or not.  These drafts propose
   adopting the following convention:  an IKE proposal for transport
   mode IPsec for protocol IP-in-IP and client IP addresses that match
   the IKE endpoint addresses implies that the tunnel will be viewed as
   a virtual link and routing adjacencies may be formed on it.  This
   convention is expedient, but it is implicit rather than explicit, and
   it relies on an expectation that existing systems are not already
   using such proposals under other circumstances.  Also, it is not
   extensible to cover other possible applications.

   There are several ways that correlation info (e.g. a VPN-ID) could be
   passed explicitly from the IKE initiator (which presumably knows it)
   to the responder (which needs to know it) and bound to a particular


Duffy                    Expires - April 2003                 [Page 7]


Internet Draft      IPsec Protected Virtual Links         October 2002


   SA they negotiate.  Vendor specific payloads could be defined to
   carry the application identifier (e.g. virtual link) and the context
   (e.g. VPN-ID) in IKE.  However, vendor specific payloads are not a
   good approach to standardization.  New standardized IKE payloads
   could be defined, but this is unlikely to happen for IKE given the
   current focus of the IPsec working group on developing its successor.
   The now-expired [LORDELLO] proposed defining such new payloads within
   a new ISAKMP Domain of Interpretation (DOI).

   It is also possible to pass the correlation info implicitly from
   initiator to responder, by addressing the IKE proposal to different
   IP addresses belonging to the responder and/or by presenting
   different initiator addresses or IKE identities belonging to the
   initiator.  This approach has a number of disadvantages: it is crude,
   and it requires the maintenance of a tunnel endpoint IP address per
   VPN context.  Even at that it does not convey a VPN identification in
   absolute terms; rather, coordinated provisioning is still needed at
   both ends to establish which IP address corresponds with which VPN-
   ID, etc.  Furthermore, the scalability is severely decreased because
   this forces a separate (and computationally expensive) ISAKMP SA to
   be needed for each context.


6. Some Possible Protocol Architectures

   This section presents six different approaches to constructing
   virtual links secured by IPsec.  Each is evaluated against the
   requirements and considerations described in the preceding sections.

6.1 Tunnel Mode SA as Virtual Link

   This approach uses a tunnel mode IPsec SA to realize each virtual
   link.  Multiple virtual links between a pair of systems, serving
   different contexts, may be negotiated under a single ISAKMP SA.  The
   client IDs are all-wildcarded.

   Each IPsec SA is bound to a VPN-ID through a payload exchanged during
   the Quick Mode negotiation.

   Pros:
   .  This approach leverages the IKE Quick Mode as a tunnel management
      protocol.

   Cons:
   .  There is no IPsec-less (unsecured) operation available since it
      relies on IPsec for tunneling.




Duffy                    Expires - April 2003                 [Page 8]


Internet Draft      IPsec Protected Virtual Links         October 2002


   .  The current IKE standard does not define a payload to convey a
      VPN-ID; this would require a vendor-specific payload, IKE
      extension, etc.
   .  Requires the tunnel end points to support negotiating multiple
      IPsec SAs with the same client IDs.
   .  Unlikely to interoperate with CE-based devices.

6.2 Shared IP-in-IP Tunnel with Transport Mode IPsec

   This approach uses IP-in-IP tunneling [IP-IP] and a distinct
   transport mode IPsec SA to realize each virtual link.  Multiple
   virtual links between a pair of systems use the same IP-in-IP tunnel
   (i.e. the same endpoint addresses).  A single ISAKMP SA between a
   pair of systems is used.

   Each virtual link uses a separate transport mode IPsec SA, but they
   all have the same client IDs.  It is the SA (i.e. the SPI field) that
   distinguishes one virtual link from another.  Each IPsec SA is bound
   to a VPN-ID through a payload exchanged during the Quick Mode
   negotiation.

   Pros:
   .  This approach leverages the IKE Quick Mode as a tunnel management
      protocol.
   .  Likely to interoperate with CE-based devices to form routing
      adjacencies.

   Cons:
   .  There is no IPsec-less (unsecured) operation available since it
      relies on IPsec for multiplexing and for tunnel management
      signaling.
   .  The current IKE standard does not define a payload to convey a
      VPN-ID; this would require a vendor-specific payload, IKE
      extension, etc.
   .  Requires the tunnel end points to support negotiating multiple
      IPsec SAs with the same client IDs.

6.3 Distinct IP-in-IP Tunnel with Transport Mode IPsec

   This approach uses a distinct IP-in-IP tunnel to realize each virtual
   link.  Multiple virtual links between a pair of systems use distinct
   IP-in-IP tunnels (i.e. different endpoint addresses).  Transport mode
   IPsec is used to secure the tunnels, and the IKE also provides tunnel
   management signaling.  Each virtual link has its own distinct ISAKMP
   and IPsec SAs.

   Each virtual link terminates on a different tunnel endpoint (i.e.
   "outer") IP address and it is this that distinguishes one virtual


Duffy                    Expires - April 2003                 [Page 9]


Internet Draft      IPsec Protected Virtual Links         October 2002


   link from another.  The VPN context is bound to each tunnel endpoint
   address through configuration, directory lookup, or VPN
   autodiscovery.

   Pros:
   .  This approach leverages the IKE Quick Mode as a tunnel management
      protocol.
   .  Likely to interoperate with CE-based devices to form routing
      adjacencies.  This is the proposal of [KNIGHT] and [CE-VPN]
      extended to multi-context systems.

   Cons:
   .  There is no IPsec-less (unsecured) operation available since it
      relies on IPsec for the tunnel management signaling.  (Unless one
      does not care about the tunnel management.)
   .  Requires recognizing, and terminating tunnels on, multiple IP
      addresses (one per VPN context).
   .  Scales poorly because it requires an expensive ISAKMP SA per
      virtual link.
   .  VPN context correlation requires an external means to associate
      tunnel endpoint addresses to VPN-IDs and make the association
      known at both tunnel endpoints.

6.4 GRE Tunnel with Transport Mode IPsec

   This approach uses [GRE] to provide the tunneling.  Using the Key
   extension to GRE ([GRE-KEY]) multiple virtual links between a pair of
   systems are multiplexed within one GRE tunnel.  Transport mode IPsec
   is used when desired to secure the GRE tunnel -- one ISAKMP and one
   IPsec SA are used per PE pair.  Application of IPsec is based on an
   SPD rule matching the GRE (i.e. "outer") packet header.

   A VPN context is bound to each Key value through configuration,
   directory lookup, or VPN autodiscovery.

   Pros:
   .  IPsec-less operation is available since the tunneling is provided
      completely independently of IPsec.
   .  Requires neither extension nor liberal interpretation of IPsec.

   Cons:
   .  Unlikely to interoperate with CE-based devices.
   .  No tunnel management protocol.
   .  VPN context correlation requires an external means to associate
      GRE Key values to VPN-IDs and make the association known at both
      tunnel endpoints.
   .  Controlling IPsec use on a per-VPN basis cannot be done within the
      standard IPsec SPD model, since packets of different VPNs are not


Duffy                    Expires - April 2003                [Page 10]


Internet Draft      IPsec Protected Virtual Links         October 2002


      discernible by the selectors available to IPsec (the outer GRE
      packet).

6.5 MPLS Tunnel with Transport Mode IPsec

   This approach uses MPLS-in-IP ([MPLS], [MPLS-IP]) to provide the
   tunneling.  Using an MPLS label in an IP encapsulation, multiple
   virtual links between a pair of systems are multiplexed within one
   MPLS-in-IP tunnel.  Transport mode IPsec is used when desired to
   secure the MPLS-in-IP tunnel -- one ISAKMP and one IPsec SA are used
   per PE pair.  Application of IPsec is based on an SPD rule matching
   the MPLS-in-IP (i.e. "outer") packet header.

   A VPN context is bound to each MPLS label value.  MPLS labels might
   be distributed by a label distribution protocol, or by configuration,
   directory lookup, or piggybacked on autodiscovery.  If a label
   distribution protocol is used, that might serve as a tunnel
   management protocol.

   Pros:
   .  IPsec-less operation is available since the tunneling is provided
      completely independently of IPsec.
   .  Requires neither extension nor liberal interpretation of IPsec.

   Cons:
   .  Unlikely to interoperate with CE-based devices.
   .  VPN context correlation requires an external means to associate
      MPLS labels to VPN-IDs and make the association known at both
      tunnel endpoints.
   .  Controlling IPsec use on a per-VPN basis cannot be done within the
      standard IPsec SPD model, since packets of different VPNs are not
      discernible by the selectors available to IPsec (the outer MPLS-
      in-IP packet).

6.6 L2TP with Transport Mode IPsec

   This approach uses [L2TP] to provide the tunneling.  Using L2TP
   sessions carrying PPP sessions, multiple virtual links between a pair
   of systems are multiplexed within one L2TP tunnel.  Transport mode
   IPsec is used when desired to secure the tunnel -- one ISAKMP and one
   IPsec SA are used per PE pair.  Application of IPsec is based on an
   SPD rule matching the L2TP (i.e. "outer") packet header.

   A VPN context is bound to each L2TP session via the exchange of L2TP
   AVPs (e.g. the End Identifier AVP of L2TPv3 -- a similar AVP could be
   defined for L2TPv2).

   Pros:


Duffy                    Expires - April 2003                [Page 11]


Internet Draft      IPsec Protected Virtual Links         October 2002


   .  IPsec-less operation is available since the tunneling is provided
      completely independently of IPsec.
   .  Requires neither extension nor liberal interpretation of IPsec.
   .  The L2TP control protocol serves as a tunnel management protocol.
   .  Other helpful PPP and L2TP features are available such as address
      negotiation, keepalives, etc.

   Cons:
   .  Unlikely to interoperate with CE-based devices.
   .  Controlling IPsec use on a per-VPN basis cannot be done within the
      standard IPsec SPD model, since packets of different VPNs are not
      discernible by the selectors available to IPsec (the outer L2TP
      packet).


7. Recommendation

   The PPVPN working group should develop a standard for IPsec-protected
   virtual links for the PE-PE environment and one for the CE-CE
   environment.  If those standards can be one and the same or if the
   CE-CE one can be a subset of the other it would be a plus.

   Of the approaches advanced in this memo, the L2TP based approach
   (section 6.6) appears to provide the nicest characteristics for the
   PE-PE case.  However, vendors of CPE equipment are unlikely to
   embrace this approach for the CE-CE case.  Also, it is arguably a bit
   on the heavyweight side.

   The distinct IP-in-IP tunnel approach (section 6.3) is also promising
   as it is likely to interoperate with CE-CE VPN devices, and it does
   not require extensions to IKE to signal the VPN-ID.


8. Security Considerations

   This memo deals with ways in which IPsec may be used to secure
   virtual links in virtual router based PPVPNs.  As such security
   issues are discussed throughout.

   Because the virtual router approach exchanges routing messages in-
   band with the VPN data on the virtual links, securing those links
   simultaneously secures both the VPN data plane and control plane (or
   more accurately, the reachability distribution part of the control
   plane).

   Security beyond the boundaries of the provider-provisioned network is
   beyond the scope of this memo and indeed, beyond the scope of the
   solutions described here.


Duffy                    Expires - April 2003                [Page 12]


Internet Draft      IPsec Protected Virtual Links         October 2002




9. References

9.1 Normative References

9.2 Informative References

   [CE-VPN]  De Clercq,  Paridaens, Krywaniuk, and Wang,  "An
   Architecture for Provider Provisioned CE-based Virtual Private
   Networks using IPsec,"  (Work in progress)  draft-ietf-ppvpn-ce-
   based-02.txt, June 2002.

   [GRE]  Farinacci, Li, Hanks, Meyer, and Traina,  "Generic Routing
   Encapsulation (GRE),"  RFC 2784, March 2000.

   [GRE-KEY]  Dommety, G.,  "Key and Sequence Number Extensions to GRE,"
   RFC 2890, September 2000.

   [IKE]  Harkins, D. and Carrel, D.,  "The Internet Key Exchange
   (IKE)," RFC 2409, November 1998.

   [IP-IP]  Perkins, C.,  "IP Encapsulation within IP," RFC 2003,
   October 1996.

   [IPSEC]  Kent, S. and Atkinson, R., "Security Architecture for the
   Internet Protocol," RFC 2401, November 1998.

   [KNIGHT]  Knight, P. and Gleeson, B.,  "A Method to Provide Dynamic
   Routing in IPsec VPNs,"  (Work in progress)  draft-knight-ppvpn-
   ipsec-dynroute-01.txt, July 2002.

   [L2TP]  Townsley, Valencia, Rubens, Pall, Zorn, and Palter,  "Layer
   Two Tunneling Protocol L2TP," RFC 2661, August 1999.

   [MPLS]  Rosen, E., Viswanathan, A., and Callon, R., "Multiprotocol
   Label Switching Architecture," RFC 3031, January 2001.

   [MPLS-IP]  Wooster, T., Rekhter, Y., and Rosen, E., "Encapsulating
   MPLS in IP or GRE,"  (Work in progress)  draft-rosen-mpls-in-ip-or-
   gre-00.txt, August 2002.

   [TOUCH] Touch, J. and Eggert, L.,  "Use of IPsec Transport Mode for
   Dynamic Routing,".  (Work in progress)  draft-touch-ipsec-vpn-04.txt,
   June 2002.

   [VPN-ID]  Fox, B. and Gleeson, B.,  "Virtual Private Networks
   Identifier," RFC 2685, September 1999.


Duffy                    Expires - April 2003                [Page 13]


Internet Draft      IPsec Protected Virtual Links         October 2002



   [VR-VPN] Knight, P. et al,  "Network based IP VPN Architecture using
   Virtual Routers,"  (Work in progress)  draft-ietf-ppvpn-vpn-vr-
   03.txt, July 2002.


10. Summary for Sub-IP Related Internet Drafts

   RELATED DOCUMENTS

   The References section lists a number of related documents.  [CE-VPN]
   and [KNIGHT] in particular discuss IPsec-protected virtual links,
   however the solution they propose is aimed at CE-based VPNs and is
   inadequate for PE-based VPNs, serving multiple contexts.

   WHERE DOES IT FIT IN THE PICTURE OF THE SUB-IP WORK?

   This I-D is intended for the PPVPN Working Group.

   WHY IS IT TARGETED AT THIS WG(s)?

   This document addresses a component that is essential for Virtual
   Router and CE-based provider provisioned VPNs, which are within the
   purview of the PPVPN working group.

   JUSTIFICATION

   The PPVPN working group has the charter, among other things, to
   develop virtual router based VPN standards and to provide for
   security and privacy of user data in a VPN environment.


Author's Addresses

   Mark Duffy
   Quarry Technologies
   8 New England Executive Park
   Burlington MA 01803  USA
   Email: mduffy@quarrytech.com


Full Copyright Statement

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published


Duffy                    Expires - April 2003                [Page 14]


Internet Draft      IPsec Protected Virtual Links         October 2002


   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.






























Duffy                    Expires - April 2003                [Page 15]