Last Modified: 2003-09-25
This working group is responsible for defining and specifying a limited number of solutions for supporting provider-provisioned Layer-3 (routed) Virtual Private Networks (L3VPNs).
The WG is responsible for standardization of the following solutions: 1. BGP/MPLS IP VPNs (based on RFC 2547) 2. IP VPNs using Virtual Routers 3. CE-based VPNs using IPSEC
The following VPN deployment scenarios will be considered by the WG:
1. Internet-wide: VPN sites attached to arbitratry points in the Internet
2. Single SP/single AS: VPN sites attached to the network of a single provider within the scope of a single AS
3. Single SP/multiple AS'es: VPN sites attached to the network of a single provider consisting of multiple AS'es
4. Cooperating SPs: VPN sites attached to networks of different providers that cooperate with each other to provide VPN service
As part of this effort the WG will work on the following tasks (additional work items will require rechartering):
1. Requirements and framework for Layer 3 VPNs 2. Solution documents for each approach listed above (including applicability statements) 3. MIB definitions for each approach 4. Security mechanisms for each approach
As a general rule, the WG will not create new protocols, but will provide functional requirements for extensions of the existing protocols that will be discussed in the protocol-specific WGs. L3VPN WG will review proposed protocol extensions for L3VPNs before they are recommended to appropriate protocol-specific WGs.
Multicast and QoS support are excluded from the charter at this time. They may be considered for inclusion in an updated charter at a later time. Future work items may also include OAM support.
Done | Submit L3 VPN Requirements Document to IESG for publication as Info | |
Done | Submit Generic Requirements Document to IESG for publication as Info | |
Done | Submit L3 VPN Framework Document to IESG for publication as Info | |
Dec 03 | Submit VPN Security Analysis to IESG for publication as Info (draft-fang-ppvpn-security-framework-00) | |
Dec 03 | Submit BGP/MPLS VPNs specification and AS to IESG for publication as PS (draft-ietf-ppvpn-rfc2547bis-03, draft-ietf-ppvpn-as2547-01) | |
Dec 03 | Submit CE-based specification and AS to IESG for publication as PS (draft-ietf-ppvpn-ce-based-03, draft-declercq-ppvpn-ce-based-sol-00, draft-declercq-ppvpn-ce-based-as-01) | |
Dec 03 | Submit Virtual Router specification and AS to IESG for publication as PS (draft-ietf-ppvpn-vpn-vr-03, draft-ietf-ppvpn-as-vr-01) | |
Jan 04 | Submit VPN MIB Textual Conventions to IESG for publication as PS (draft-ietf-ppvpn-tc-mib-02) | |
Jan 04 | Submit MPLS/BGP VPN MIB to IESG for publication as PS (draft-ietf-ppvpn-mpls-vpn-mib-05) | |
Jan 04 | Submit VR MIB to IESG for publication as PS (draft-ietf-ppvpn-vr-mib-04) | |
Jan 04 | Submit BGP as an Auto-Discovery Mechanism for publication as PS (draft-ietf-ppvpn-bgpvpn-auto-05.txt) | |
Mar 04 | Submit specification of using IPSEC for PE-PE encapsulation in BGP/MPLS VPNs to IESG for publication as PS (draft-ietf-ppvpn-ipsec-2547-03) | |
Mar 04 | Submit specification of using GRE for PE-PE encapsulation in BGP/MPLS VPNs to IESG for publication as PS (draft-ietf-ppvpn-gre-ip-2547-02) | |
Mar 04 | Submit specification of CE Route Authentication to IESG for publication as PS (draft-ietf-ppvpn-l3vpn-auth-03) | |
Mar 04 | Submit specification of OSPF as the PE/CE Protocol in BGP/MPLS VPNs for publication (draft-rosen-vpns-ospf-bgp-mpls-06.txt) |
L3VPN Working Group Wed 11/12/03 9:00am - 10:00am Agenda: Agenda Bashing (5 minutes - chairs) Working Group Document Status (15 minutes - Ross Callon) Charter: Ongoing/Future Work (15 minutes - Ron Bonica) MPLS over L2TP (15 minutes - Mark Townsley) CE member authentication (20 minutes) 1) Document status (Ross Callon) L3 Framework <draft-ietf-l3vpn-framework-00.txt> IESG has approved for publication L3 Service req'ts <draft-ietf-l3vpn-requirements-00.txt IESG Review and/or update based on comments Generic req'ts <draft-ietf-ppvpn-generic-reqts-03.txt> IESG Review and/or update based on comments Security Framework Passed WG last call; Being updated based on security directorate comments BGP/MPLS IP VPNs and AS <draft-ietf-l3vpn-rfc2547bis-01.txt>, <draft-ietf-l3vpn-as2547-03.txt> Passed l3vpn working group last call Is currently in IDR working group last call VR Architecture and AS <draft-ietf-l3vpn-vpn-vr-01.txt> & <draft-ietf-l3vpn-as-vr-00.txt > Base document is ready for WG last call AS update expected soon after IETF Both should go to WG last call as soon as AS is ready CE/IPSec Architecture and AS <draft-ietf-l3vpn-ce-based-01.txt> & <draft-declercq-l3vpn-ce-based-as-00.txt> Recent update to address mailing list comments: Clarify CE operation in two distinct routing spaces and management spaces More description of tunnel establishment More description of Internet connectivity Awaiting update to AS Security considerations and template WG Last call expected soon Guidelines of Applicability Statements for PPVPNs <draft-ietf-l3vpn-applicability-guidelines-00.txt> Long term disposition is still tbd MPLS/BGP MIB <draft-ietf-ppvpn-mpls-vpn-mib-05.txt> Needs update & MIB Doctor review WG last call should occur relatively soon thereafter Virtual Router MIB <draft-ietf-ppvpn-vr-mib-05.txt> same status as MPLS/BGP MIB CE MIB TBD (do we need a MIB? - question to be addressed on mail list) Req'ts for MPLS MIBs <draft-lai-mpls-mib-rqmts-00.txt> L3vpn issues have been resolved. Framework for PPVPN Op.& Man. <draft-ietf-l3vpn-mgt-fwk-00.txt> Accepted as working group document at last IETF Comments to l3vpn mailing list Textual Conventions <draft-ietf-ppvpn-tc-mib-02.txt> "Very Stable". 2547 for IPv6 <draft-ietf-ppvpn-bgp-ipv6-vpn-03.txt> Charter is being updated to include IPv6 PE-PE IPsec for 2547 <draft-ietf-ppvpn-ipsec-2547-03.txt> PE-PE GRE or IP for 2547 <draft-ietf-ppvpn-gre-ip-2547-02.txt> BGP as Auto-Discovery <draft-ietf-ppvpn-bgpvpn-auto-05.txt> All of above are stable, no significant recent updates CE-to-CE Member Verif'n <draft-ietf-ppvpn-l3vpn-auth-03.txt> and <draft-ietf-Behringer-mpls-vpn-auth> Possibility to reconcile the two approaches in a single document - see below. OSPF as PE/CE Protocol in BGP/MPLS VPNs <draft-ietf-l3vpn-ospf-2547-00.txt> Currently in WG last call Last call extended to 11/21/2003 (5pm EST) Related document <draft-ietf-ospf-2547-dnbit-01.txt> in last call in the OSPF working group 2) Charter (Ron Bonica) We have made progress and are nearing completion of many of our original tasks (eg, Framework and Requirements Documents completed, Security Frameworks passed WG last call, BGP/MPLS base spec and AS passed l3vpn last call and are in IDR last call, ...). It is therefore a good time to think about future work. We propose updating the Charter for additional work items. We have proposed to the IESG an update which adds support for IPv6. As the current set of documents is completed, we will propose to also add charter support for Multicast. 3) MPLS over L2TPv3 with BGP L3VPNs (Mark Townsley) (see presentation) Proposal: Edit current contribution to include BGP signaling Along with L2TP formats. Use this to create a new document which Could become draft-ietf-l3vpn-l2tpv3-2547-00.txt (if accepted as a working group document). Note that this would be in addition to existing documents: draft-ietf-l3vnp-ipsec-2547-03.txt draft-ietf-l3vpn-gre-ip2547-00 Discussion: 1) Yakov: There were some comments in opposition to this when it was presented in the MPLS WG session. Security is an issue a) Security review is needed (by security directorate) b) The solution is by no means specific to 2547 it is applicable to any multipoint-to-point application. c) The document needs to explain why extending BGP for multipoint-to-point L2TP signaling is preferred over the existing L2TP signaling (or extending L2TP to provide multipoint-to-point signaling) 2) Ross: Why do we need another encapsulation? We already have encapsulation over MPLS, GRE, and IPsec. Does this have an advantage that these other encapsulations don't? (response) There are already 4 encapsulations MPLS over MPLS MPLS over IPsec MPLS over GRE MPLS over IP (Eric Rosen) We already have many many different tunnel types in use. Service providers have preferences for each. We need a specification for each. Agreement: we should include the reasons why the choices are being made. Mark: The intention is to update the document before it would be a working group document. Ross: We can't accept a document as a working group document until we have the document. Can you send an outline to the mailing list with a description of what would be in the extended draft with the articulation of the issues? Mark: Yes, this makes sense. Agreement: Will be discussed on the list. 3) Reconciling the L3VPN authentication Drafts (also known as "Singing Kumbaya"), M Behringer, M. Bonica We currently have two drafts related to authentication (one a working group document, one an individual contribution): 1) Draft-ietf-l3vpn-l3vpn-auth - provides the method through which the customers can detect SP misconfiguration - Does nothing to prevent misconfiguration - delegates authentication task to the CE - requires new functionality on the CE 2) Draft Behringer-mpls-vpn-auth - reduces the probabilty of SP misconfiguration - Does not allow customer to detect misconfiguration if it does occur - delegates the authentication task to the PE - requires nothing new on the CE We have two drafts. Options are: merge, let them both live, kill one. We propose to merge the drafts. Opportunity: 1) PE obtains the token from CE original draft: BGP extended community received from CE new protocol with CE Hashed authentication key from CE-PE routing protocol 2) PE distributes token throughout SP network 3) PE - Distribute to CE using BGP community or new protocol - User decides whether or not to authenticate Convergence: 1) Converge on a common mechanisms for distribution - Use a new BGP attribute 2) Add a third mechanism for obtaining token to draft-ietf-l3vpn-l3vpn-auth - Derive the token from the PE-CE MD5 key 3) Add a third application for the key at the egress PE - Use it to decide whether to install the route Discussion: (Ross Callon) Reasonable to update document. Comments on the list. (Ron Bonica) We would appreciate comments from Carrier's and Service providers. 4) Michael Beringer: <draft-behringer-mpls-security-04.txt> He wants to know what the disposition will be of his document "Analysis of the Security of BGP/MPLS IP VPNs". He requests that people send comments on the draft to the mailing list. Ross: This makes sense. Please review the document to determine whether it should become a working group document with the intention of being published as Information. Send comments to the list. Requested that Michael send a message to the mail list requesting feedback on the beringer security draft. Michael agrees. |