Tunnel SAFI draft-nalawade-kapoor-tunnel-safi-03.txt

1
Tunnel SAFI draft-nalawade-kapoor-tunnel-safi-03.
txt

• SSA Attribute
• draft-kapoor-nalawade-idr-bgp-ssa-01.txt

2
Changes over previous version
3
draft-nalawade-kapoor-tunnel-safi-03.txt

• 4 more TLVs specified
• MPLS
• IPSec
• GRE in IPSec
• L2TPv3 in IPSec
• Specified application and operation of MPLS VPNs
  over IP Tunnels
• Specified application and operation of MPLS VPNs
  over IPSec Tunnels

4
draft-kapoor-nalawade-idr-bgp-ssa-01.txt

• Length portion of the TLVs clarified
• Type field contains a Transitive bit that
  indicates the transitivity of a TLV
• IETF feedback accepted and the attribute made
  specific for use by the Tunnel SAFI

5
draft-kapoor-nalawade-idr-bgp-ssa-01.txt

• The SSA Attribute carries information about a
  given Tunnel in a set of one or more Tunnel TLVs
• Each TLV carries a Tunnel capability and
  information
• The Sender can express preference for a specific
  Tunnel type in each TLV
• This addresses the case where a receiving PE may
  understand only a subset of the Tunnel
  Capabilities
• Each TLV can be marked Transitive

6
Tunnel SAFI

• Applicability and Motivation

7
Tunnel SAFI Motivation

• PE-PE Connectivity via MPLS LSP may not be viable
  (no label path)
• Multicast VPN (awaiting MultiPoint-LSP models)
• Transit via non-MPLS domains
• Migrations between IP and MPLS
• BGP VPN Auto-Discovery of L2VPN and L3VPN Tunnels
• PE-PE Tunnels Preferred / Required
• PE-PE Protection of IP Tunnel with IPSec

8
Multi-Point Tunnels

• -------
  -------
• 
  
• PE1
  PE2
• 
  
• --o-o--
  ---o---
• 
  
• 
  
• \
  
• \ ----------------------------
  /
• \
  \ /
• MP-LSP
  MP-GRE
• / \
  \
• / -----------------------
  --- \
• 
  \
• 
  
• 
  
• ---o---
  --o-o--
• 
  

PE1
PE2
PSN
PE3
PE4
9
Hybrid Intra-AS

• ------
  ------
• 
  
• PE1
  PE2
• -----gt lt----IPtunnel
  MPLS-----gt
• ---o---
  ---o---
• 
  
• ........ v v
  ........
• . .
  . .
• . . ------- -------
  . .
• . .-- --.
  .
• IPtunnel . PSN . ASBR1---ASBR2 .
  PSN .
• . .-- --.
  .
• . . ------- -------
  . .
• . .
  . .
• ........ olt- BGP -gto
  ........
• LABELS
  
• --o-o--
  ---o---
• -----gt lt---MPLS
  MPLS----gt

PE1
PE2
PSN
PSN
ASBR 1
ASBR 2
PE4
PE3
10
Extended AS via IP

• -------
  ------
• lt----------IPt----------gt
  
• PE1
  PE2
• ----gt lt---MPLS IPv4
  ---gt
• --o-o--
  ---o---
• 
  
• ........ v v
  ........
• . .
  . .
• . . ------ ------
  . .
• . .-- --.
  .
• MPLS . PSN . ASBR-----ASBR .
  INET .
• . .-- --.
  .
• . . ------ ------
  . .
• . .
  . .
• ........ O lt- IPv4 -gt o
  ........
• 
  
• --o-o--
  ---o---
• ----gt lt--MPLS IPv4
  ---gt

PE2
PE1
PSN
INET
ASBR 1
ASBR 2
PE3
PE4
11
Extended Inter-AS via IP

• -------
  -------
• lt---MPLS
  ---IPt----------gt
• PE1
  PE2
• ----gt IPv4
  ---gt
• --o---
  ---o---
• 
  
• ........ v v v
  ........
• . .
  . .
• . . ------- -------
  . .
• . .--
  --. .
• MPLS . PSN . ASBR1----ASBR2
  . INET .
• . .--
  --. .
• . . ------- -------
  . .
• . .
  . .
• ....... o olt-IPv4-gt o
  ........
• 
  
• ---o---
  ---o---
• ----gt IPv4
  ---gt

ASBR3
PE1
PSN
INET
ASBR 1
ASBR 2
ASBR4
PE3
12
Tunneling Issues

• Various Tunneling techniques between MPLS VPN PE
• IPSec, LSP, MP-LSP, GRE, L2TPv3, IP, GREIPSec,
• Synchronization Issue
• Egress PE doesnt know the capabilities of the
  Ingress PE
• Ingress PE confirmation of the egress PEs
  tunneling capability state
• Egress PE may have a subset of tunneling
  capabilities
• Tunnel type may have unique attributes
• Achieving this through manual configuration is
  impractical for scalable deployment

13
Tunneling Characteristics

• Tunneling is a PE capability
• Tunnel provides connection to BGP Next Hop
  address
• Tunnel end-point
• MAY be the BGP Next-Hop Network Address (Unicast)
• An alternate Network Address (Unicast or
  Multicast)

14
Tunnel Advertisement Goals

• VPN prefixes may have an affinity to a particular
  tunnel type (secured/non-secured)
• Undesirable to Establish an IGP inside the Tunnel
  (the BGP Next Hop is directly reachable via the
  tunnel end-point)
• Ingress PE may select an appropriate tunneling
  mechanism based on the following
• Tunnel end-point reachability
• Egress PE capabilities
• Egress PE preferences
• Local preferences that may override the Egress PE
  preferences

15
Proposed Tunnel SAFI Attributes

• Distribution of
• Tunnel Capabilities
• Tunnel Attributes
• Tunnel Identifier
• Shared Tunnel Demultiplexor
• Tunnel Authentication Info (Keys, Cookies, IKE
  Identities)
• Tunnel Preferences
• Tunnel End-point Addresses
• Etc.

16
Tunnel Capability Advertisement

• MP-EXT Capability
• Advertised IPv4 or IPv6 Tunnel Capability for a
  specific AFI/SAFI
• BGP Next-hop Prefixes Advertised for Tunnel
  AFI/SAFI
• BGP SSA Attributes (now specific to the Tunnel
  SAFI) advertised to the peer

17
Applicability

• BGP Auto-Discovery (draft-ietf-l3vpn-bgpvpn-auto-0
  6.txt) Minimal tunnel information in the VPN
  discovery process
• PE-PE IPSec (draft-ietf-l3vpn-ipsec-2547-04.txt)
  Affinity of VRF to IPSec Tunnel Capability
• 2547bis via GRE/IP (draft-ietf-l3vpn-gre-ip-2547-0
  4) Dynamic Establishment of Tunnels
• Multicast VPN (draft-ietf-l3vpn-2547bis-mcast-00.t
  xt) MVPN Tunnels

18
Proposal

• Accept as a Working Group Document