📄 rfc2764.txt
字号:
devices can be either routers bridges or hosts.
Gleeson, et al. Informational [Page 18]
RFC 2764 IP Based Virtual Private Networks February 2000
The two ISP nodes are both connected to an IP network, and an IP
tunnel is set up between them. Each ISP node is configured to bind
the stub link and the IP tunnel together at layer 2 (e.g., an ATM VCC
and the IP tunnel). Frames are relayed between the two links. For
example the ATM Adaptation Layer 5 (AAL5) payload is taken and
encapsulated in an IPSec tunnel, and vice versa. The contents of the
AAL5 payload are opaque to the ISP node, and are not examined there.
+--------+ ----------- +--------+
+---+ | ISP | ( IP ) | ISP | +---+
|CPE|-------| edge |-----( backbone ) -----| edge |------|CPE|
+---+ ATM | node | ( ) | node | ATM +---+
VCC +--------+ ----------- +--------+ VCC
<--------- IP Tunnel -------->
10.1.1.5 subnet = 10.1.1.4/30 10.1.1.6
Addressing used by customer (transparent to provider)
Figure 4.1: VLL Example
To a customer it looks the same as if a single ATM VCC or Frame Relay
circuit were used to interconnect the CPE devices, and the customer
could be unaware that part of the circuit was in fact implemented
over an IP backbone. This may be useful, for example, if a provider
wishes to provide a LAN interconnect service using ATM as the network
interface, but does not have an ATM network that directly
interconnects all possible customer sites.
It is not necessary that the two links used to connect the CPE
devices to the ISP nodes be of the same media type, but in this case
the ISP nodes cannot treat the traffic in an opaque manner, as
described above. Instead the ISP nodes must perform the functions of
an interworking device between the two media types (e.g., ATM and
Frame Relay), and perform functions such as LLC/SNAP to NLPID
conversion, mapping between ARP protocol variants and performing any
media specific processing that may be expected by the CPE devices
(e.g., ATM OAM cell handling or Frame Relay XID exchanges).
The IP tunneling protocol used must support multiprotocol operation
and may need to support sequencing, if that characteristic is
important to the customer traffic. If the tunnels are established
using a signalling protocol, they may be set up in a data driven
manner, when a frame is received from a customer link and no tunnel
exists, or the tunnels may be established at provisioning time and
kept up permanently.
Gleeson, et al. Informational [Page 19]
RFC 2764 IP Based Virtual Private Networks February 2000
Note that the use of the term 'VLL' in this document is different to
that used in the definition of the Diffserv Expedited Forwarding Per
Hop Behaviour (EF-PHB) [30]. In that document a VLL is used to mean
a low latency, low jitter, assured bandwidth path, which can be
provided using the described PHB. Thus the focus there is primarily
on link characteristics that are temporal in nature. In this document
the term VLL does not imply the use of any specific QoS mechanism,
Diffserv or otherwise. Instead the focus is primarily on link
characteristics that are more topological in nature, (e.g., such as
constructing a link which includes an IP tunnel as one segment of the
link). For a truly complete emulation of a link layer both the
temporal and topological aspects need to be taken into account.
5.0 VPN Types: Virtual Private Routed Networks
5.1 VPRN Characteristics
A Virtual Private Routed Network (VPRN) is defined to be the
emulation of a multi-site wide area routed network using IP
facilities. This section looks at how a network-based VPRN service
can be provided. CPE-based VPRNs are also possible, but are not
specifically discussed here. With network-based VPRNs many of the
issues that need to be addressed are concerned with configuration and
operational issues, which must take into account the split in
administrative responsibility between the service provider and the
service user.
The distinguishing characteristic of a VPRN, in comparison to other
types of VPNs, is that packet forwarding is carried out at the
network layer. A VPRN consists of a mesh of IP tunnels between ISP
routers, together with the routing capabilities needed to forward
traffic received at each VPRN node to the appropriate destination
site. Attached to the ISP routers are CPE routers connected via one
or more links, termed 'stub' links. There is a VPRN specific
forwarding table at each ISP router to which members of the VPRN are
connected. Traffic is forwarded between ISP routers, and between ISP
routers and customer sites, using these forwarding tables, which
contain network layer reachability information (in contrast to a
Virtual Private LAN Segment type of VPN (VPLS) where the forwarding
tables contain MAC layer reachability information - see section 7.0).
An example VPRN is illustrated in the following diagram, which shows
3 ISP edge routers connected via a full mesh of IP tunnels, used to
interconnect 4 CPE routers. One of the CPE routers is multihomed to
the ISP network. In the multihomed case, all stub links may be
active, or, as shown, there may be one primary and one or more backup
links to be used in case of failure of the primary. The term '
backdoor' link is used to refer to a link between two customer sites
Gleeson, et al. Informational [Page 20]
RFC 2764 IP Based Virtual Private Networks February 2000
that does not traverse the ISP network.
10.1.1.0/30 +--------+ +--------+ 10.2.2.0/30
+---+ | ISP | IP tunnel | ISP | +---+
|CPE|-------| edge |<--------------------->| edge |-------|CPE|
+---+ stub | router | 10.9.9.4/30 | router | stub +---+
link +--------+ +--------+ link :
| ^ | | ^ :
| | | --------------- | | :
| | +----( )----+ | :
| | ( IP BACKBONE ) | :
| | ( ) | :
| | --------------- | :
| | | | :
| |IP tunnel +--------+ IP tunnel| :
| | | ISP | | :
| +---------->| edge |<----------+ :
| 10.9.9.8/30 | router | 10.9.9.12/30 :
backup| +--------+ backdoor:
link | | | link :
| stub link | | stub link :
| | | :
| +---+ +---+ :
+-------------|CPE| |CPE|.......................:
10.3.3.0/30 +---+ +---+ 10.4.4.0/30
Figure 5.1: VPRN Example
The principal benefit of a VPRN is that the complexity and the
configuration of the CPE routers is minimized. To a CPE router, the
ISP edge router appears as a neighbor router in the customer's
network, to which it sends all traffic, using a default route. The
tunnel mesh that is set up to transfer traffic extends between the
ISP edge routers, not the CPE routers. In effect the burden of
tunnel establishment and maintenance and routing configuration is
outsourced to the ISP. In addition other services needed for the
operation of a VPN such as the provision of a firewall and QoS
processing can be handled by a small number of ISP edge routers,
rather than a large number of potentially heterogeneous CPE devices.
The introduction and management of new services can also be more
easily handled, as this can be achieved without the need to upgrade
any CPE equipment. This latter benefit is particularly important
when there may be large numbers of residential subscribers using VPN
services to access private corporate networks. In this respect the
model is somewhat akin to that used for telephony services, whereby
new services (e.g., call waiting) can be introduced with no change in
subscriber equipment.
Gleeson, et al. Informational [Page 21]
RFC 2764 IP Based Virtual Private Networks February 2000
The VPRN type of VPN is in contrast to one where the tunnel mesh
extends to the CPE routers, and where the ISP network provides layer
2 connectivity alone. The latter case can be implemented either as a
set of VLLs between CPE routers (see section 4.0), in which case the
ISP network provides a set of layer 2 point-to-point links, or as a
VPLS (see section 7.0), in which case the ISP network is used to
emulate a multiaccess LAN segment. With these scenarios a customer
may have more flexibility (e.g., any IGP or any protocol can be run
across all customer sites) but this usually comes at the expense of a
more complex configuration for the customer. Thus, depending on
customer requirements, a VPRN or a VPLS may be the more appropriate
solution.
Because a VPRN carries out forwarding at the network layer, a single
VPRN only directly supports a single network layer protocol. For
multiprotocol support, a separate VPRN for each network layer
protocol could be used, or one protocol could be tunneled over
another (e.g., non-IP protocols tunneled over an IP VPRN) or
alternatively the ISP network could be used to provide layer 2
connectivity only, such as with a VPLS as mentioned above.
The issues to be addressed for VPRNs include initial configuration,
determination by an ISP edge router of the set of links that are in
each VPRN, the set of other routers that have members in the VPRN,
and the set of IP address prefixes reachable via each stub link,
determination by a CPE router of the set of IP address prefixes to be
forwarded to an ISP edge router, the mechanism used to disseminate
stub reachability information to the correct set of ISP routers, and
the establishment and use of the tunnels used to carry the data
traffic. Note also that, although discussed first for VPRNs, many of
these issues also apply to the VPLS scenario described later, with
the network layer addresses being replaced by link layer addresses.
Note that VPRN operation is decoupled from the mechanisms used by the
customer sites to access the Internet. A typical scenario would be
for the ISP edge router to be used to provide both VPRN and Internet
connectivity to a customer site. In this case the CPE router just
has a default route pointing to the ISP edge router, with the latter
being responsible for steering private traffic to the VPRN and other
traffic to the Internet, and providing firewall functionality between
the two domains. Alternatively a customer site could have Internet
connectivity via an ISP router not involved in the VPRN, or even via
a different ISP. In this case the CPE device is responsible for
splitting the traffic into the two domains and providing firewall
functionality.
Gleeson, et al. Informational [Page 22]
RFC 2764 IP Based Virtual Private Networks February 2000
5.1.1 Topology
The topology of a VPRN may consist of a full mesh of tunnels between
each VPRN node, or may be an arbitrary topology, such as a set of
remote offices connected to the nearest regional site, with these
regional sites connected together via a full or partial mesh. With
VPRNs using IP tunnels there is much less cost assumed with full
meshing than in cases where physical resources (e.g., a leased line)
must be allocated for each connected pair of sites, or where the
tunneling method requires resources to be allocated in the devices
used to interconnect the edge routers (e.g., Frame Relay DLCIs). A
full mesh topology yields optimal routing, since it precludes the
need for traffic between two sites to traverse a third. Another
attr⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -