MPLS Working Group                                         Juha Heinanen
Internet Engineering Task Force                      Telia Finland, Inc.
INTERNET DRAFT                                 Bryan Gleeson, Arthur Lin
Expires February 1998                              Shasta Networks, Inc.

                MPLS Mappings of Generic VPN Mechanisms

1. Status of this Memo

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."

   To view the entire list of current Internet-Drafts, please check the
   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
   Directories on (Africa), (Northern
   Europe), (Southern Europe), (Pacific
   Rim), (US East Coast), or (US West Coast).

2. Abstract

   This document describes a set of generic mechanisms which can be used
   to set up network based Virtual Private Networks (VPN) across IP
   networks. In particular,  it describes how these mechanisms can be
   mapped into a network running the Multi-Protocol Label Switching
   (MPLS) specification.  The mechanisms described, however, can apply
   to any type of IP network running various forms of IP tunneling
   mechanisms, and are not solely restricted to MPLS networks.  This
   Draft serves to introduce these generic mechanisms, which are part of
   the broader VPN framework which will be described more fully in
   forthcoming Drafts.

3. Introduction

   An earlier Draft [Heinanen] proposed a number of mechanisms for
   Virtual Private Network (VPN) support in networks running the Multi-
   Protocol Label Switching (MPLS) specification [Callon].

Heinanen, et al.                                                [Page 1]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   Subsequently, it was noted that most of the mechanisms proposed in
   that Draft are subsets of generic VPN mechanisms, and can also apply
   to current IP networks.  Hence this Draft first discusses these
   generic mechanisms and shows how these may be applied in general IP
   networks.  In particular, these can be applied in IP networks not
   running any major new protocol, such as MPLS, which may facilitate
   roll- out of VPN services on current IP networks, prior to the
   possible future deployment of MPLS.  Subsequently, the Draft also
   discusses how these mechanisms can be applied to MPLS networks in

   As with the earlier Draft, this Draft is intended to serve as a
   framework, highlighting areas for more detailed specification.
   Neither has enough detail to allow for interoperable implementations.
   Hence more work is required to finalize a specification for VPN
   support, both on MPLS networks and on current networks.  A future
   Internet Draft will propose a more general VPN framework and specific
   areas for future specification so as to allow more general
   interoperable VPN solutions.

4. VPN Definition and Scope

   A VPN can be succinctly defined as the emulation of a private wide
   area network (WAN) facility using IP facilities (including the public
   Internet, or private IP backbones).  There are a wide variety of VPN
   types, corresponding to the very wide variety of WAN facilities that
   are currently defined. Future Drafts will discuss the full range of
   possible VPN types, but the particular type of VPN specifically
   discussed in this Draft can be described as a 'virtual private routed
   network' (VPRN), in which a customer with multiple geographically
   dispersed sites wishes to connect each of these sites together into a
   private network. Such networks are routinely built today using, for
   instance, frame relay links and/or leased lines between the routers
   at each pair of sites, or, more likely, given the cost of such links,
   by star wiring each site to a single central site.

   A VPRN emulates such a network using dedicated IP links.  The nature
   of the connectivity of these sites is discussed further below, but
   for the moment it can be assumed that it is desired that each of
   these sites be logically meshed to each other site, since there is
   less cost assumed with full meshing in a virtual IP network, than in
   cases where physical resources (e.g. Frame Relay DLCI, or a leased
   line) must be allocated for each connected pair of sites.  This
   yields optimal routing, since it precludes the need for traffic
   between two sites to traverse through a third.

   VPNs of various sorts are today routinely implemented using a

Heinanen, et al.                                                [Page 2]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   combination of host applications and customer premises equipment
   (CPE) routers.  The mechanisms discussed in both this Draft and its
   predecessor, however, apply specifically only to the class of
   'network based VPNs', where the operation of the VPN is outsourced to
   an Internet service provider (ISP), and is implemented on network as
   opposed to CPE equipment.  There is significant interest in such
   solutions both by customers seeking to reduce support costs and by
   ISPs seeking new revenue sources.  The network based focus allows the
   use of particular mechanisms which may lead to highly efficient and
   cost effective VPRN solutions.  However such mechanisms also leverage
   tools (e.g. piggybacking on routing protocols) which are accessible
   only to ISPs and which are unlikely to be made available to any
   customer, or even hosted on ISP owned and operated CPE, due to the
   problems of coordinating joint management of the CPE gear by both the
   ISP and the customer.

   Hence, it is assumed that each customer site CPE router connects to
   an ISP edge router through one or more dedicated point-to-point stub
   links (e.g. leased lines, ATM or Frame Relay connections); the VPRN
   mechanisms discussed below will operate on each of these ISP edge
   routers, in order to route traffic received across a stub link to the
   appropriate destination customer site across its stub link.  In
   particular, the edge router will hide all VPRN topology information
   from the CPE routers, hence significantly simplifying the operation
   of the CPE.

   Note that a single ISP edge router could terminate multiple stub
   links belonging to the same VPRN.  The means by which traffic is
   routed between such local interfaces is outside the scope of
   standardization, per se, though obviously these would leverage many
   of the same routing and forwarding mechanisms used for communication
   with remote VPN sites.

   In such a scenario, a VPN connecting each of these sites must
   generally meet a number of minimum requirements, which arise from the
   need to essentially emulate the facilities that customers expect from
   a leased line facility, and which, hence, they also generally expect
   from any emulation of such a facility.  While there are a number of
   such requirements, three are of particular concern to this Draft:

   A. Support for Disjoint Address Spaces:

   The addressing used within the VPRN may have no relation to the
   addressing of the ISP, or ISPs, across which the VPRN may operate.
   In particular, the former may also be non-unique, private IP
   addressing [Rekhter1].

   B. Support for Intra-VPN routing:

Heinanen, et al.                                                [Page 3]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   Since a VPRN will generally interconnect multiple sites, the VPRN
   mechanism must implement some mechanism by which intra-VPN traffic
   can be efficiently routed to the correct destination site within the

   C. Support for Data Security:

   In general, customers using VPNs require some form of data security,
   given the general perceptions of the lack of security of IP networks,
   and particularly that of the Internet.  Whether or not this
   perception is correct, it is one that must be addressed by any VPN
   implementation.  Most recent VPN implementations are converging on
   the use of IPSec facilities [Kent] for this purpose.

   Together, these requirements imply that VPRNs must be implemented
   through some form of IP tunneling mechanism, where the addressing
   used within the VPRN can be disjoint from that used to route the
   tunneled packets across the IP backbone.  Such tunnels, depending
   upon their form, can provide some level of intrinsic data security,
   or this can also be enhanced using other mechanisms (e.g. IPSec).

   Such tunnels together form an overlay network operating over and
   across the general Internet backbone, connecting each of the ISP edge
   routers supporting VPN stub links to each other.  Within each of the
   ISP edge routers, there must be VPN specific IP forwarding
   mechanisms, to forward packets received across each of the stub links
   ('ingress' traffic) to the appropriate destination edge router, based
   upon the address space of the customer's network, and to forward
   packets received from the core ('egress' traffic) to the appropriate
   stub link, for cases where an edge router supports multiple stub
   links belonging to the same VPN (as will be noted below, VPN tunnels
   can, as a local matter, either terminate on the edge router, or on
   each stub link; in the former case, a VPN specific forwarding table
   is needed for egress traffic, in the latter case, it is not).

   Note also that a single customer site may belong concurrently to
   multiple VPNs, of various sorts, and/or may wish to transmit traffic
   both onto one or more VPNs and to the default Internet. The
   mechanisms needed to do this are outside the scope of this Draft, and
   are not discussed further.

   For the purposes of this Draft, it is also assumed that all of the
   traffic being sent across the VPRN is IP traffic, since the devices
   implementing the VPRN need to be able to interpret the packet header
   information to determine the appropriate end-point within the VPRN.
   However, that procedures discussed here could be readily extended for
   Multiprotocol transport, either by forming separate VPRNs for each
   protocol, or by running Multiprotocol routing and forwarding

Heinanen, et al.                                                [Page 4]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   procedures in each VPN router, and multiplexing multiple protocols
   across the VPN stub links.  IP encapsulation methods could also be
   used to transport different protocols across IP links.  These
   multiprotocol transport mechanisms are left for further study.

5. Generic VPN Mechanisms

   ISPs wishing to offer tunnel based VPRN services need to be able to
   do so with minimal configuration, since this yields the most cost
   effective solution.  The generic VPN mechanisms discussed here apply
   to the means by which this can be done. The following sections
   discuss these in detail.

5.1 VPN Membership Information Configuration and Dissemination

   In order to establish a VPRN, or to insert new customer sites into an
   established VPRN, the stub links on each edge router from those sites
   in the particular VPRN must first be configured with the identity of
   the particular VPRN to which the stub links belong.  Note that this
   first step, of stub link configuration, is unavoidable, since clearly
   the edge router cannot infer such bindings and hence must be
   configured with this information.  The means by which this is done
   are outside the scope of this Draft, but a management information
   base (MIB) allowing for bindings between local stub links and VPN
   identities may be one obvious solution.

   Thereafter, each edge router must learn either the identity of, or,
   at least, the router to, each other edge router supporting other stub
   links in that particular VPRN.  Implicit in the latter is the notion
   that there exists some mechanism by which the configured edge routers
   can then use this edge router and/or stub link identity information
   to subsequently set up the appropriate tunnels between them; this is
   discussed further below.

   In order to configure each stub link with the identity of the VPN to
   which it belongs, some form of VPN identifier is required; the scope
   of uniqueness of this identifier is a function of its usage, which is
   related to how VPRN membership is disseminated.  This problem, of
   VPRN member dissemination between participating edge routers, can be
   solved in a variety of ways:

   A. Directory Lookup:

   The members of a particular VPRN, that is, at a minimum, the identity
   of the edge routers supporting stub links in the VPRN, and possibly
   also the identity of each of the stub links, could be configured into
   a directory, which edge routers could query, using some defined

Heinanen, et al.                                                [Page 5]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   mechanism (e.g. LDAP), upon configuration of their local stub
   interfaces and VPN identifier. The latter, in this case, need only be
   unique within the scope of the directory.

   This mechanism allows for authorization checking prior to
   disseminating VPRN membership information, which may be desirable
   where VPRNs span multiple administrative domains.  In such a case,
   directory to directory protocol mechanisms could also be used to
   propagate authorized VPRN membership information between the
   directory systems of the multiple administrative domains.

   There would also need to be some form of database synchronization
   mechanism (e.g. triggered or regular polling of the directory by edge
   routers, or active pushing of update information to the edge routers
   by the directory) in order for all edge routers to learn the identity
   of newly configured sites inserted into an active VPRN.

   B. Explicit Management Configuration:

   A VPRN Management Information Base (MIB) could be defined which would
   allow a central management system to configure each edge router with
   the identities of each other participating edge router and possibly
   also the identity of each of the stub links.  Similar mechanisms
   could also be used, as noted above, to configure the VPN bindings of
   the local stub links on the edge router.  The scope of the VPN
   identifier in this case is related to the scope of the management

   Note that this mechanism allows the management station to impose
   strict authorization control; on the other hand, it may be more
   difficult to configure edge routers outside the scope of the
   management system.  The management configuration model can also be
   considered a subset of the directory method, in that the (management)
   directories could use MIBs to push VPRN membership information to the
   participating edge routers, either subsequent to, or as part of, the
   local stub link configuration process.

   C. Piggybacking in Routing Protocols:

   VPRN membership information could be piggybacked into the routing
   protocols run by each edge router, since this is an efficient means
   of automatically propagating information throughout the network to
   other participating edge routers.  Specifically, each route
   advertisement by each edge router could include, at the minimum, the
   set of VPN identifiers associated with each edge router, and adequate
   information to allow other edge routers to determine the identity of,
   and/or, the route to, the particular edge router.  Other edge routers
   would examine received route advertisements to determine if any

Heinanen, et al.                                                [Page 6]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   contained information relevant to a supported (i.e. configured) VPRN;
   this determination could be done by looking for a VPN identifier
   matching a locally configured VPN.  The nature of the piggybacked
   information, and related issues, such as scoping, and the means by
   which the nodes advertising particular VPN memberships will be
   identified, will generally be a function both of the routing protocol
   and of the nature of the underlying transport, and is discussed
   further below.

   The advantage of this last scheme is that it allows for very
   efficient information dissemination, particularly across multiple
   routing domains (e.g. across different autonomous systems/ISPs) but
   it does require that all nodes in the path, and not just the
   participating edge routers, be able to accept such modified route
   advertisements. Significant administrative complexity may also be
   required to configure scoping mechanisms so as to both permit and
   constrain the dissemination of the piggybacked advertisements.

   Furthermore, unless some security mechanism is used for routing
   updates so as to permit only all relevant edge routers to read the
   piggybacked advertisements, this scheme generally implies a trust
   model where all routers in the path must perforce be authorized to
   know this information.  Depending upon the nature of the routing
   protocol, piggybacking may also require intermediate routers,
   particularly autonomous system (AS) border routers, to cache such
   advertisements and potentially also re-distribute them between
   multiple routing protocols.

   Each of the schemes described above have merit in particular
   situations. The earlier Draft [Heinanen] discussed the last scheme
   only, and that is further spelled out below, but the other two
   schemes may also offer important practical advantages.  In
   particular, note that, in practice, there will almost always be some
   directory or management system which will maintain VPN membership
   information, since, as noted above, the binding of VPNs to stub links
   must be configured, hence, presumably, such information would be
   obtained from, and stored within, some database.  Hence the
   additional steps to facilitate the configuration of such information
   into edge routers, and/or, facilitate edge router access to such
   information, may not be excessively onerous.  These methods will be
   discussed in greater detail in forthcoming Drafts.

5.1.1 VPN Identifier

   A principal benefit of the router piggybacking model is that it
   allows for simple dissemination of VPN membership information across
   multiple ASs. This implies the need for a VPN identifier than can be

Heinanen, et al.                                                [Page 7]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   unique across multiple ASs. To that end, [Heinanen] proposed a
   globally unique VPN identifier (note that such an identifier may be
   useful for VPN types other than only VPRNs) made up of the
   concatenation of an AS number, and a label assigned by the AS
   administrator which is locally unique within the particular AS. It is
   proposed that this be adopted as the VPN identifier, with the further
   stipulation that the VPN ID be coded as a four octet BGP Communities
   Attribute [Chandra], made up a two octet AS number and a 2 octet,
   unstructured integer VPN number, to allow for sufficient numbers of
   VPNs per AS.  The specific details of this proposed format are for
   future clarification.

   Note that where a VPN crosses multiple ASs, then there must be some
   administrative mechanisms to coordinate VPN ID assignment e.g.
   through the notion of a 'home AS' for a particular VPN, which is used
   in the VPN ID of that VPN. A VPN ID coded as proposed could also be
   easily piggybacked in BGP, and could also be easily specified within
   BGP policy filters in AS border routers for scoping and
   administrative purposes.

   For the remainder of the discussion, it is assumed that the VPN
   identifier will be as so described.

5.2  Tunneling Mechanisms

   Once VPRN membership information has been disseminated, the tunnels
   comprising the VPRN can be constructed.  While this can be done
   through manual configuration, this is clearly not likely to be a
   scalable solution, given the o(n^2) problem of meshed links.  As
   such, tunnel set up should use some form of signaling protocol which
   would allow two nodes to construct a tunnel to each other knowing
   only each other's identity.  Note also that there are some tunneling
   mechanisms which allow for multiple disjoint calls or sessions within
   the same tunnel - in such a 'shared tunnel' case, the signaling
   protocol could also be used to assign a call within an existing
   tunnel between two edge routers for a new VPN between them.

   There are two specific cases of interest networks running MPLS, and
   current networks not running MPLS.  These are discussed separately.

5.2.1 MPLS Networks

   As noted in [Heinanen], MPLS can be considered to be a form of IP
   tunneling, since the labels of MPLS packets allow for routing
   decisions to be decoupled from the addressing information of the
   packets themselves. MPLS label distribution mechanisms can be used to

Heinanen, et al.                                                [Page 8]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   associate specific sets of MPLS labels with particular VPRN address
   prefixes supported on particular egress points (i.e. stub links of
   edge routers) and hence allow other edge routers to explicitly label
   and route traffic to particular VPRN stub links.  The exact
   relationship of the various MPLS labels and the particular VPN to
   which they are bound is a function of whether or not the CPE edge
   routers participate or do not participate in MPLS with the ISP edge
   routers. These cases are discussed in greater detail below.

   The principal attraction of MPLS as a tunneling mechanism is that it
   may require less processing within each edge router than alternative
   tunneling mechanisms.  This is also a function of the fact that data
   security within a MPLS network is implicit in the explicit label
   binding, much as with a connection oriented network, such as Frame
   Relay.  This may hence lessen customer concerns about data security
   and hence require less processor intensive security mechanisms (e.g.
   IPSec).  As discussed below, however, such implicit mechanisms
   address only some of the potential security concerns of customers.

5.2.2 Non-MPLS Networks

   For non-MPLS networks, VPNs in general require the use of an explicit
   IP tunneling mechanism.  There are numerous IP tunneling mechanisms,
   including IP/IP [Simpson], GRE tunnels [Hanks], L2TP [Valencia] and
   IPSec [Kent].  Each of these allow for opaque transport of IP
   packets, with routing disjoint from the address fields of the
   encapsulated packets.  Additional processing is required in edge
   routers for the use of any of these protocols, with some (e.g. IPSec)
   mandating significant processing capabilities.  On the other hand,
   such tunneling protocols can provide significantly more comprehensive
   data security capabilities than the implicit security of MPLS.

   It is the case, however, that none of the protocols listed above were
   originally designed to support VPNs of the type under consideration.
   As such, none provide all of the mechanisms likely to be needed for
   VPN applications.  In particular, only L2TP and IPSec can be
   considered to have any form of signaling protocol (the L2TP control
   protocol, and the Internet Key Exchange protocol [Harkins],
   respectively) which could potentially be used to automate the process
   of tunnel set up. Furthermore, none of these tunneling protocols have
   support today for multicast (other than source replication), whereas
   MPLS does have such support, though the application of MPLS
   mechanisms to multicast transport within VPNs is not yet fully
   defined, and requires further study.

   Given however, the current paucity of operational networks running
   MPLS, there is likely to be significant value in fully defining a VPN

Heinanen, et al.                                                [Page 9]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   tunneling mechanism which could be deployed in current networks.  It
   may also be possible to readily extend other IP tunneling protocols
   to incorporate support for multicast.  Subsequent Drafts will address
   these issues.

5.3 Stub Link Reachability Information

   There must be mechanisms to allow ISP edge routers to determine the
   set of VPN addresses and address prefixes reachable at each stub link
   connecting to the edge router.  There are a number of means by which
   this can be done:

   A. Routing Protocol Instance:

   A routing protocol can be run between the CPE edge router and the ISP
   edge router to exchange reachability information.  Note that this
   routing exchange is asymmetrical since the CPE router views the ISP
   edge router as the default path into the VPN.  Any suitable routing
   protocol could be used to exchange routing information between the
   CPE and ISP edge routers.  It should be noted that the only function
   of this protocol is indeed to exchange reachability information, not
   to discover topology, since, by definition, there is only a single,
   point-to-point (logical) link between the CPE router and the ISP edge
   router, with the latter then discovering (and hiding) the VPN

   Likely protocols for this purpose include RIPv2, OSPF [Moy] and BGP-4
   [Rekhter2].  Note that even if the same protocol is used between the
   CPE and ISP edge routers, and from the ISP edge routers into the
   core, these will be two quite distinct routing instantiations.  If
   the ISP edge router uses routing protocol piggybacking to disseminate
   VPN membership and reachability information across the core, then it
   may redistribute suitably labeled routes from the CPE routing
   instantiation to the core routing instantiation (but never the other
   way round).  There is no requirement that the same protocol, or even
   the same CPE reachability information gathering mechanism, be run
   between each CPE router and associated edge router in a particular
   VPRN, since this is purely local matter.

   Note that if a particular customer site concurrently belongs to
   multiple VPNs (or wishes to concurrently communicate with both a VPN
   and the Internet), then the ISP edge router must have some means of
   unambiguously mapping stub link address prefixes to particular VPNs.
   This could be done either by ensuring (and appropriately configuring
   the ISP edge router to know) that particular disjoint address
   prefixes are mapped into separate VPNs, or by tagging the routing
   advertisements from the CPE edge router with the appropriate VPN

Heinanen, et al.                                               [Page 10]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   identifier.  In the case of MPLS, as discussed below, different MPLS
   labels would be used to differentiate the disjoint prefixes assigned
   to particular VPNs.  In any case, some administrative procedure would
   be required for this coordination.

   B. Configuration:

   The reachability information across each stub link could be manually
   configured, which may be appropriate if the set of addresses or
   prefixes is small and static.

   C. ISP Administered Addresses:

   The set of addresses used by each stub site could be administered and
   allocated by the ISP, which may be appropriate for very small sites
   with little network administration resources.  In such a case the ISP
   edge router could determine these addresses by proxying for the
   particular address administration mechanism (e.g. DHCP).  Note that
   in this case it would be the responsibility of the ISP to ensure that
   each site in the VPN received a disjoint address space.

   D. MPLS Label Distribution Protocol:

   In cases where the CPE edge router runs MPLS, the MPLS LDP could be
   extended to convey the set of prefixes at each stub site, together
   with the appropriate labeling information.  While LDP is not
   generally considered a routing protocol per se, it may be useful to
   extend it for this particular constrained scenario.  This is for
   further study.

5.4 Intra-VPN Reachability Information

   Once an edge router has determined the set of prefixes associated
   with each of its stub links, then this information must be
   disseminated to each other edge router in the VPRN.  Note also that
   there is an implicit requirement that the set of reachable addresses
   within the VPRN be locally unique that is, each VPRN stub link (not
   performing load sharing) maintain an address space disjoint from any
   other, so as to permit unambiguous routing.  In practical terms, it
   is also generally desirable, though not required, that this address
   space be well partitioned i.e. specific, disjoint address prefixes
   per stub link, so as to preclude the need to maintain and disseminate
   large numbers of host routes.

   The intra-VPN reachability information dissemination can be solved in
   a number of ways, some of which include the following:

Heinanen, et al.                                               [Page 11]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   A. Directory Lookup:

   Along with VPN membership information, a central directory could
   maintain a listing of the address prefixes associated with each end
   point.  Such information could be obtained by the server through
   protocol interactions with each edge router.  Note that the same
   directory synchronization issues discussed above would apply in this

   B. Explicit Configuration:

   The address spaces associated with each edge router could be
   explicitly configured into each other router.  This is clearly a
   non-scalable solution, and also raises the question of how the
   management system learns such information in the first place.

   C. Local Intra-VPRN Routing Instantiations:

   In this approach, each edge router runs an instantiation of a routing
   protocol (a 'virtual router') per VPRN, running across the VPRN
   tunnels to each peer edge router, to disseminate intra-VPRN
   reachability information. The intra-VPN routing advertisements could
   be distinguished from normal tunnel data packets either by being
   addressed directly to the peer edge router, or by a tunnel specific

   Note that this intra-VPRN routing protocol need have no relationship
   with the routing protocols operated by the ISPs in the path.
   Specifically, the intra- VPRN routing protocol operates as an overlay
   over the IP backbone, and, given the very simple meshed topology of
   the VPRN, could be a very simple protocol, such as RIPv2 [Malkin], at
   least unless the VPRN spans a very large number of edge routers.
   Since the intra-VPN routing protocol runs as an overlay, it is also
   wholly transparent to any intermediate routers, and to any edge
   routers not within the VPRN.  This also implies that such routing
   information can also remain opaque to such routers, which may be a
   necessary security requirements in some cases.

   D. Link Reachability Protocol

   Each edge router could run a link reachability protocol - for
   instance, some variation of the MPLS LDP - across the tunnel to each
   peer edge router in the VPRN, carrying the VPN ID and the
   reachability information of each VPRN running across the tunnel
   between the two edge routers. Such a protocol would need to be
   specified, and would require aspects of current routing protocols
   such as hello protocols, and re-transmit timers and/or positive
   acknowledgements.  However, such an approach may reduce the

Heinanen, et al.                                               [Page 12]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   processing burden of running routing protocol instantiations per
   VPRN, and may be of particular benefit where a shared tunnel
   mechanism is used to connect a set of edge routers supporting
   multiple VPRNs.

   E. Piggybacking in Routing Protocols:

   As with VPN membership, the set of address prefixes associated with
   each stub interface could also be piggybacked into the routing
   advertisements from each edge router and propagated through the
   network.  Other edge routers would extract this information from
   received route advertisements in the same way as they would obtain
   the VPRN membership information (which, in this case, is implicit in
   the identification of the source of each route advertisement). Note
   that this scheme may require, depending upon the nature of the
   routing protocols involved, that intermediate routers e.g. border
   routers cache intra-VPRN routing information in order to propagate it
   further.  This also has implications for the trust model, and for the
   level of security possible for intra-VPRN routing information.

   Note that in any of the cases discussed above, an edge router has the
   option of disseminating its stub link prefixes in a manner so as to
   permit tunneling from remote edge routers directly to the egress stub
   links.  Alternatively, it could disseminate the information so as to
   associate all such prefixes with the edge router, rather than with
   specific stub links.  In this case, the edge router would need to
   implement a VPN specific forwarding mechanism for egress traffic, to
   determine the correct egress stub link.  The advantage of this is
   that it may significantly reduce the number of distinct tunnels or
   tunnel label information which need to be constructed and maintained.
   Note that this choice is purely a local manner and is not visible to
   remote edge routers.

   The earlier Draft [Heinanen] discussed the last scheme only, and that
   is further spelled out below.  A number of vendors have already
   announced, however, their intention to support variants of the
   virtual router scheme, which is also less disruptive to currently
   deployed routing protocols.  As such, this scheme merits further
   investigation and will be addressed in future Drafts.

6. Routing Protocol Piggybacking

   As noted above, routing protocol piggybacking could be used to carry
   VPN membership information alone, or also VPN reachability
   information.  The means by which this is done, and the nature of the
   piggyback information, is a function both of the particular routing
   protocol, and of the underlying network mechanism.  The particular

Heinanen, et al.                                               [Page 13]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   cases of OSPF and BGP-4 are discussed below.

6.1 OSPF

   OSPF is often used as an intra-AS routing protocol, and hence may be
   a required candidate for routing protocol piggybacking.  One means by
   which VPN membership and reachability information could be
   piggybacked is through the use of the proposed OSPF opaque LSA
   [Coltun].  The exact details of how such a piggybacking advertisement
   might be coded are for further study.  In particular, it may prove to
   be the case that opaque LSAs could be well suited for piggybacking
   VPN membership information, but not VPN reachability information,
   since opaque LSAs, at least as currently defined, are attributes of,
   not indexes into, reachability information. Using them in the latter
   manner, which would be required to piggyback VPN reachability
   information, may break some existing OSPF implementations. Opaque
   LSAs do, however, have a well defined scoping mechanism, that, at
   least within an AS, allows for control over the extent of
   dissemination of a VPN advertisement.

   Note also that as a link state protocol OSPF advertisements always
   allow for the identification of the source of an advertisement.
   However, each router in the OSPF network, and not only edge routers,
   will also need to examine received advertisements, and explicitly
   ignore piggybacked VPN advertisements, unless configured to be a VPN
   terminator (i.e. edge router).

6.2 BGP-4

   There are a number of potential mechanisms by which VPN information
   could be piggybacked into BGP-4, including the Multiprotocol
   Extensions attribute [Bates] or the BGP communities attribute.  In
   the case where VPN reachability information is piggybacked, each VPN
   address prefix could be encoded as Network Layer Reachability
   Information (NLRI) and bound to the VPN identifier as a community
   attribute, if the VPN ID has the format proposed previously. Note
   that in cases where it was desired only to advertise VPN membership
   information, then advertising each VPN prefix may be onerous and
   undesirable, but there is no specific mechanism in BGP-4, as yet, to
   advertise anything other than NLRI.

   In the case where this is done on an MPLS network, then the
   advertisement would carry each VPN prefix, together with the MPLS
   label(s) to be used to send packets to that stub link.  As noted
   above, these labels, as a purely local matter, could identify either
   the route to each stub link, or only to the edge router itself, which
   would then use its own forwarding mechanisms for egress packets.

Heinanen, et al.                                               [Page 14]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   Since there is already defined a particular mechanism for carrying
   MPLS labels in BGP-4 using the Multiprotocol Extensions field
   [Rekhter3], this would suggest that this mechanism should be
   generalized for the purpose also of conveying VPN information; hence
   it is proposed that that Draft be amended for this purpose.

   The use of BGP-4 for VPN piggybacking is more complex in cases where
   this is done on non-MPLS networks.  In such a case, the piggybacked
   advertisements must allow for the explicit identification of the
   source of the advertisement.  This is important for tunnel set up in
   non-MPLS networks, where each edge router needs to know the identity
   (i.e. IP address) of each of the other edge routers, in order to
   initiate whatever signaling mechanism may be used for tunnel set-up.

   At present there is no means by which the original source of a BGP
   advertisement can be identified once that advertisement is
   redistributed (e.g. from an intra-AS protocol like OSPF into BGP at a
   border node, or from an edge router through a border router for
   distribution outside the original AS).  Since VPN support in non-MPLS
   networks is an important requirement, it is proposed that whatever
   BGP-4 mechanism is chosen for the purpose of VPN advertisements also
   be amended to allow for explicit tagging with the IP address of the
   original source of the advertisement.  One possible means by which
   this could be done may be to associate the VPN ID (coded as a
   Community Attribute) with the /32 prefix (i.e. IP address) of the
   edge router supporting the VPN.  This issue is for further study.

   Note that in the case where BGP advertisements are propagated across
   AS boundaries, then each border router must cache the full set of
   prefixes and associated label stacks of each advertised VPN.  In such
   a case, further work is also needed to control scoping of BGP
   piggybacked advertisements.  In particular, at AS boundaries, border
   routers would generally need to be manually configured with VPN route
   advertisement policies to determine whether such advertisements
   should be propagated, and, if so, to which peer ASs.  In general ASs
   will also likely automatically reject VPN advertisements received
   from peer ASs unless specifically configured to pass them.  Some
   administrative mechanism (e.g. manual procedures or some form of
   directory communication, for instance) would be needed for this

   Note also that such scoping policy configurations would be needed not
   only in each border router of each AS with one or more VPN
   termination points, but also in each AS in the transit path between
   them.  This last may pose problems if the trust system includes the
   terminating ASs, but excludes one or more of the transit ASs.  These
   problems expose a particular artifact of router piggybacking - while
   VPN membership and reachability information is relevant only to the

Heinanen, et al.                                               [Page 15]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   particular edge routers concerned, router piggybacking necessarily
   requires also the active participation of all intermediate routers
   that need to process and propagate such advertisements.  This may
   impose significant burdens on the operation and administration of
   such intermediate routers, as well as compromising the integrity of
   the VPNs concerned.

7. MPLS Mappings

   The earlier Draft [Heinanen] proposed a number of mechanisms for
   facilitating VPN set up in MPLS networks.  As noted above, most of
   these mechanisms are subsets of more generic VPN mechanisms, and some
   of the alternate mechanisms described above can also be applied to
   MPLS networks.  There are specific issues with respect to mappings
   into MPLS networks due to the nature of the particular control and
   data planes of MPLS. Furthermore, the operation of these data and
   control planes is a function of whether or not the CPE router also
   runs MPLS.  These cases are considered separately.

7.1 CPE Router Runs MPLS

   In this case the CPE router and ISP edge router exchange, using one
   of the mechanisms discussed above, the set of address prefixes
   associated with that stub site and then, concurrently or
   subsequently, assign MPLS labels to each such prefix.  Note that, as
   discussed above, the edge router could decide, as a local matter, to
   assign the same label to each such stub link, or distinct labels to
   each, depending upon whether or not it wished to explicitly forward
   egress packets.

   If a CPE routers belongs concurrently to more than one VPN, then it
   must label the (disjoint) prefixes of each VPN differently, to allow
   for unambiguous routing at the edge router.  Thereafter, the ISP edge
   router uses whatever routing and label assignment mechanisms may be
   used within its network to disseminate the prefixes, tagged with the
   appropriate VPN ID, and the locally assigned MPLS label, to each
   other peer Label Switching Router (LSR).

   In the specific case where BGP-4 is used for piggybacking across the
   core network, this implies that each edge router and border router in
   the AS but not the intermediate LSRs - will receive the bindings of
   VPN IDs, VPN prefixes and associated labels, together with the label
   needed to forward traffic to the particular edge router from its BGP
   peers. If border routers were to propagate this information further
   across the core, they would then push into this label stack,
   information to identify the explicit tunnel route to the particular
   border router from its peer border routers.  At a terminating edge

Heinanen, et al.                                               [Page 16]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   router, the edge router would maintain in its VPN specific Label
   Information Base (LIB), the mappings of particular VPN prefixes to
   the label stacks associated with each prefix.  Note that in this
   case, edge routers will know, and need know, only the route (i.e.
   MPLS label stack) to each VPN prefix, and will not know the identity
   of the edge router through which that prefix is reached.

   Each edge router may also advertise, using either LDP or a
   piggybacked routing protocol, a default label to be used by the CPE
   across its stub links to send data into the VPN, unless this binding
   was implicit (e.g. all traffic from a stub link only gets sent to one
   particular VPN).

   Note that all of these label stacks are disjoint from the labels used
   for connectivity between the edge and border routers, through the
   intermediate LSR within the AS MPLS network. This level of intra-AS
   connectivity is a lower level than the BGP peering level; hence,
   disjoint MPLS label allocation mechanisms (e.g. LDP following prefix
   distribution using an intra-AS routing protocol) would be used to
   determine connectivity to, and the appropriate label stacks for, edge
   and border router connectivity across the AS.

   Hence an edge or border router wishing to transmit to a particular
   VPN stub link would need to first determine the destination VPN
   prefix, and the VPN label stack associated with that prefix.
   Subsequently, it would then determine the label switched path (LSP)
   to the particular destination edge router, push the resultant label
   stack onto the VPN label and transmit the packet.  At the destination
   edge router, the intra-AS routing label stack would be popped, and
   the packet sent to the appropriate stub link using either the VPN
   label, if explicitly tagged, or using a local forwarding mechanism,
   if not.

7.2 CPE Router Does Not Run MPLS

   This case would work exactly as described above, except that the ISP
   edge router would proxy for the CPE router by assigning labels to
   each CPE prefix. Packets sent to the stub link would be routed as
   described above, except that at the destination edge router the label
   stack would be removed and an untagged packet sent to the CPE router.
   In this case, the edge router would also need some unambiguous means
   of determining the destination VPN, where a particular stub site
   supports multiple VPNs.  Typically this will require disjoint address
   spaces in each VPN.

   Note that in either case that all border routers will need to
   maintain label mappings for all prefixes associated with each VPN in

Heinanen, et al.                                               [Page 17]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   the AS. This is a consequence of the fact that BGP can, at present,
   only advertise routes to particular NLRI prefixes and hence, cannot,
   as discussed above, advertise only VPN to edge router bindings. It is
   also, of course, obvious, that such information cannot in any sense
   be aggregated.

7.3  Use of RSVP in MPLS Networks

   There have been a number of proposals to use the Resource Reservation
   Protocol (RSVP) to allocate labels within MPLS networks, either for
   the purpose of setting up flow specific LSPs [Davie] or for
   administrating traffic engineered tunnels across multiple ASs, as in
   the PASTE proposal [Li].  In either case, VPN membership and, perhaps
   also VPN reachability information, could be carried using such RSVP
   based label allocation mechanisms, as with the use of the LDP,
   described above.  In particular, in the case of the PASTE proposal,
   RSVP is used to set up and administer traffic engineered tunnels that
   span potentially multiple service provider domains, and provide non-
   default path forwarding.  In such a case, router piggybacking may not
   be possible, and hence RSVP may be the only protocol available in
   which to piggyback VPN advertisements.  This subject is for further

8. Security Considerations

   As noted above, VPN operation on MPLS networks relies upon the
   implicit security of explicitly labeled LSPs.  Unless a particular
   edge router has been configured for membership into a particular VPN,
   then no CPE router connected to that edge router should be able to
   insert traffic into that VPN. Note, however, that this is only true
   if each edge router in the network, and not just those participating
   in the VPN, ensures that no CPE router can transmit packets with
   label information that may cause it to be inserted, at some merge
   point, into a LSP leading to the labeled VPN.  As such, the trust
   model for MPLS based VPNs must encompass all MPLS edge routers, and
   not only those participating in the particular VPN.

   The particular form of data security offered by MPLS based VPNs also
   does not address other potential security concerns e.g. data
   snooping, non- repudiation, etc.  Such concerns can only be met
   through more explicit security mechanisms e.g. IPSec.  As noted
   earlier, such mechanisms are required for any tunneling mechanism
   operating on non-MPLS networks where paths are not explicitly
   labeled.  Note, however, that such security mechanisms - e.g.
   bilateral IPSec peerings between two edge routers in a VPN - have the
   advantage that the trust model need only include the relevant edge

Heinanen, et al.                                               [Page 18]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   routers, and not any of the intermediate routers (or administrative

   Particular VPN configuration mechanisms have their own security
   issues.  In particular, piggybacking of VPN membership and routing
   information in routing protocols would potentially expose such
   information to all intermediate routing nodes.  This may be a
   particular issue where this mechanism is used to distribute VPN
   information across multiple ASs or ISPs.  Mechanisms to address this
   problem may be worthy of study e.g. the use of encryption and
   authentication mechanisms to protect such piggybacked information,
   with the use of key distribution mechanisms to restrict access only
   to trusted edge routers.

9. Intellectual Property Considerations

   Cisco Systems has claimed potential intellectual property rights to
   certain aspects of the mechanisms discussed in the earlier Draft, and
   referred to here.  Refer to [Heinanen] for the specific disclosure
   notice.  The nature, extent and impact of these claims are unknown to
   the present authors.

10.  Acknowledgements

   Thanks to Tony Li, of Juniper Networks, for his helpful review and
   feedback and to Anthony Alles, of Shasta Networks, for his assistance
   in the generation of this Draft.

11. References

   [Bates] Bates, T.  "Multiprotocol Extensions for BGP-4", RFC 2283.

   [Callon] Callon, R., et al  "Multiprotocol Label Switching
   Architecture", draft-ietf-mpls-arch-02.txt.

   [Chandra] Chandra, R. and Traina, P.  "BGP Communities Attribute",
   RFC 1998.

   [Coltun] Coltun, R.  "The OSPF Opaque LSA Option", RFC 2370.

   [Davie] Davie, B., et al - "Use of Label Switching with RSVP",

   [Hanks]  Hanks, S., et al  "Generic Routing Encapsulation over Ipv4
   Networks", RFC 1702.

Heinanen, et al.                                               [Page 19]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998

   [Harkins]  Harkins, D. and Carrel, D.  "The Internet Key Exchange
   (IKE)", draft-ietf-ipsec-isakmp-oakley-08.txt.

   [Heinanen]  Heinanen, J. and Rosen, E.  "VPN Support with MPLS"

   [Kent]  Kent, S. and Atkinson, R.  "Security Architecture for the
   Internet Protocol", draft-ietf-ipsec-arch-sec-06.txt.

   [Li]  Li, T. and Rekhter, Y. - "Provider Architecture for
   Differentiated Services and Traffic Engineering (PASTE)", draft-li-

   [Malkin] Malkin, G.  "RIP Version 2  Carrying Additional
   Information", RFC 1723.

   [Moy] Moy, J.  "OSPF Version 2", RFC 2328.

   [Rekhter1]  Rekhter, Y., et al  "Address Allocation for Private
   Internets", RFC 1918.

   [Rekhter2] Rekhter, Y. and Li, T.  "A Border Gateway Protocol 4
   (BGP-4)", RFC 1771.

   [Rekhter3] Rekhter, Y. and Rosen, E.  "Carrying Label Information in
   BGP-4", draft-ietf-mpls-bgp4-mpls-00.txt.

   [Simpson]  Simpson, W.  "IP in IP Tunneling", RFC 1853.

   [Valencia], Valencia, A., et al  "Layer Two Tunneling Protocol
   "L2TP"", draft-ietf-pppext-l2tp-11.txt.

   11. Author Information

        Juha Heinanen
        Telia Finland, Inc.
        Myyrmaentie 2
        01600 VANTAA
        Tel: +358 303 944 808

        Bryan Gleeson
        Shasta Networks
        249 Humboldt Court
        Sunnyvale CA 94089-1300
        Tel: +1 (408) 548 3711

Heinanen, et al.                                               [Page 20]

INTERNET DRAFT  MPLS Mappings of Generic VPN Mechanisms     August, 1998


        Arthur Lin
        Shasta Networks
        249 Humboldt Court
        Sunnyvale CA 94089-1300
        Tel: +1 (408) 548 3788

Heinanen, et al.                                               [Page 21]