Network Working Group Jeremy De Clercq INTERNET DRAFT Olivier Paridaens Andrew Krywaniuk Alcatel Cliff Wang SmartPipes June 2002 Expires December, 2002 An Architecture for Provider Provisioned CE-based Virtual Private Networks using IPsec Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months. Internet-Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet- Drafts as reference material or to cite them other than as a ``working draft'' or ``work in progress.'' To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au(Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this memo is unlimited. Abstract This document describes the procedures for a Service Provider to offer Virtual Private Network Services to its customers by provisioning the CE devices on behalf of the customer. The IPsec technology is used to protect the customer traffic. De Clercq et al. Expires December 2002 [Page 1] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 0. SubIP-Area Section SUMMARY The PPVPN framework document [FRAMEWORK] identifies three basic provider provisioned VPN types : Provider Provisioned Network Based (or PE-based) Layer 3 VPNs, Provider Provisioned Layer 2 VPNs and Provider Provisioned CE-based VPNs. This document describes a method enabling a Service Provider to offer VPN services to its customers by provisioning the CE devices on behalf of the customer (Provider Provisioned CE-based VPNs). For a CE-based VPN to be set up under the SP's control, the VPN customer informs the Service Provider of which sites (identified by a set of CE devices) should become part of the considered VPN and what the requested topology of the VPN should look like. The SP then configures and maintains a VPN database and manages the Customer's VPN. The model proposed in this document uses the IPsec protocol suite for the purpose of securing the customer VPN traffic. When the model proposed is used, the addition of one VPN site only requires a minimum amount of configuration. This is obtained via a provisioning scheme using a network management protocol. RELATED DOCUMENTS See References section (especially [TOUCH], [WANG-ROUTING], [WANG- GROUPS]). WHERE DOES IT FIT IN THE PICTURE OF THE SUB-IP WORK PPVPN box. WHY IS IT TARGETED AT THIS WG This document describes a mechanism for Provider Provisioned CE-based VPNs, which is clearly identified as an item within the scope of the PPVPN WG, as stated from the following WG charter extract: "This working group is responsible for defining and specifying a limited number of sets of solutions for supporting provider-provisioned virtual private networks (PPVPNs). The work effort will include the development of a framework document, a service requirements document and several individual technical approach documents that group technologies together to specify specific VPN service offerings. The framework will define the common components and pieces that are De Clercq et al. Expires December 2002 [Page 2] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 needed to build and deploy a PPVPN. Deployment scenarios will include provider-managed VPN components located on customer premises.". JUSTIFICATION This document is justified by the fact that it defines a solution for PP CE-based VPNs, which are identified as a specific type of PPVPNs both in the WG charter and the general framework I-D. As described in the general framework I-D, PP CE-based VPNs have specific characteristics compared to Network-Based VPNs especially with regards to management and security. 1. Introduction The PPVPN framework document [FRAMEWORK] identifies three basic provider provisioned VPN types : Provider Provisioned Network Based (also termed PE-based) Layer 3 VPNs, Provider Provisioned Layer 2 VPNs and Provider Provisioned CE-based VPNs. This document describes a method enabling a Service Provider to offer VPN services to its customers by provisioning the CE devices on behalf of the customer (Provider Provisioned CE-based VPNs). For a CE-based VPN to be set up under the SP's control, the VPN customer informs the Service Provider of which sites (identified by a set of CE devices) should become part of the considered VPN and what the requested topology of the VPN should look like. The SP then configures and updates its VPN database, and then provisions and manages the Customer's VPN. The model proposed in this document uses the IPsec protocol suite for the purpose of securely tunneling the customer VPN traffic. This specification proposes some mechanisms that can be used to enhance the scalability of the VPN provisioning (e.g. the addition of a VPN site to an existing VPN). 2. Reference Model The reference model upon which the mechanisms and procedures described in this document are based, is taken from the CE-based VPN reference model described in [FRAMEWORK]. The most important aspects of that framework model and the restrictions that are relevant to this document are described in this section. De Clercq et al. Expires December 2002 [Page 3] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 +---------+ +------------------------------------+ +---------+ | | | | | | | | | +------+ +------+ : +------+ +------+ : | | | | | | : | CE | | CE | : | | | P | | PE | : |device| |device| : +------+ VPN tunnel |router| |router| : | of | | of |=:====================================================:=|VPN A| |VPN A| : | | +------+ +------+ : +------+ +------+ : | PE | | | : | +------+ : |router| | | : | | CE | : | | VPN tunnel +------+ : +------+ |device|=:====================================================:=| CE | | of | : +------+ | PE | : |device| |VPN B| : | | |router| : | of | +------+ : | | +------------+ +------------+ | | : |VPN B| | : | | | Customer | | Network | +------+ : +------+ |Customer | | | management | | management | | | : | |interface| | | function | | function | | |Customer | | | | +------------+ +------------+ | |interface| | | | | | | +---------+ +------------------------------------+ +---------+ | Access | |<---------- SP network(s) --------->| | Access | | network | | | | network | Figure 1: Reference model for provider provisioned CE-based VPNs 2.1 Entities in the reference model o Customer Edge (CE) device In the context of this solution, a CE device is a router located at the edge of a customer site, that has IP connectivity with a SP's PE device. A CE device maintains one or more VPN tunnel endpoints. The VPN-specific functions in the CE device are managed by the SP's management system. Note that other functions that are normally applied by the PE router may need to be performed by the CE device in this context (e.g. NAT functionality, QoS classification, etc.). The CE device may also provide general (non VPN-oriented) Internet connectivity for the customer network. Such connectivity may be achieved via the SP's PE router that provides the VPN connectivity or some other router (of the same or another SP). In such a situation, the CE device must be able to distinguish between traffic to be sent through a VPN and traffic to be sent outside any VPN. De Clercq et al. Expires December 2002 [Page 4] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 o Provider Edge (PE) router In the context of Provider Provisioned CE-based VPNs, a PE router is a router, located at the edge of the Service Provider's network, that does not have any VPN-specific functionality. A PE router is attached via an access connection to one or more CE devices, and offers IP connectivity over the access connections to these CE devices. o SP network A SP network is a network administrated by a single service provider. In the context of provider provisioned CE-based VPNs, the SP network consists of the Service Provider's IP (backbone) network and the Service Provider's management functions that manage both its own IP (backbone) network and the VPN customer's VPN functions on the CE devices. o Access connection An access connection represents an isolated layer 2 connectivity between a CE device and a PE router. This includes dedicated physical circuits, logical circuits (such as Frame Relay and ATM), plus IP tunnels (e.g., using IPsec, L2TP). In the context of provider provisioned CE-based VPNs, the CE device and the PE router have layer 3 connectivity over the Access Connection. o VPN tunnel A VPN tunnel is a logical link between two entities which is created by encapsulating packets within an encapsulating header for purpose of transmission between those two entities for support of VPNs. In the context of provider provisioned CE-based VPNs, a VPN tunnel is an IP tunnel (e.g., using IPsec, L2TP, GRE, IP-in- IP) between two CE devices over the SP's network. In the context of this document, a VPN tunnel is achieved using IPsec in tunnel mode or via an IP-in-IP tunnel protected by IPsec in transport mode between two CE devices. [GRE-CE] describes how to use GRE encapsulation for CE to CE tunneling in a CE-based IPsec VPN scenario. 2.2 Assumed Reachability It is assumed in this specification that the CE devices have at least one IP address that is known to the SP network and that is routable within the SP's network. This implies that every CE device knows how to reach the other CE devices attached to the common SP. This might be via a direct routing entry in the CE's routing table or De Clercq et al. Expires December 2002 [Page 5] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 alternatively via a default route towards the PE device it is attached to. These CE IP addresses will be known in the SP network, if not globally, then at least in the PE devices engaged in the VPN services. This means that either a routing protocol will be running between the CE and the PE device, exchanging routes belonging to the service provider's routing realm; or alternatively, the CE will have a configured default route or static route towards the PE, and the PE will have assigned an IP address to the CE device before or upon set-up of the IP service offered to the CE device. 2.3 Assumed Service Provider's infrastructure It is assumed that the Service Provider has a secure management channel to every attached CE device. This secure management channel will be used to exchange VPN-specific configuration information between the SP's VPN database and the CE devices. The particular implementation of this management channel is currently outside of the scope of this document. Some examples are: (i) manual configuration by a trusted party, directly on the considered network element; (ii) via a management protocol running over an IPsec-secured connection between the SP's management center and the considered network element; (iii) via a management protocol that has its own implicit security mechanisms. For scalability reasons, manual configuration is not recommended. 3. Configuring the CE-based VPN As a Service Provider that is offering VPN services over its backbone network will be responsible for the configuration and the management of a potential large amount of VPNs, it is required that the provisioning actions for the initial establishment and the maintenance of a PP CE-based VPN would be minimal. The minimal configuration required is to first configure the Service Provider's VPN database with the CE device to be part of a well- defined VPN. Further device provisioning can be achieved through the management channel. For the purpose of CE device configuration, the Service Provider will maintain a VPN database per VPN customer. The exchange of information between the SP's VPN database and the targeted CE-devices is achieved using an information exchange/configuration protocol such as LDAP, SNMP, COPS etc. We will call this protocol 'the management protocol' throughout the rest of this document. De Clercq et al. Expires December 2002 [Page 6] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 It is assumed for the scope of this document that the management channel used for the configuration information exchange by the chosen protocol is sufficiently secured (e.g. by using a specific IPsec protection for that purpose, or by using a SSL or SSH protected channel, etc.). 3.1 (Minimal) configuration needed at the CE device - 'Management channel' information : the information needed to access (or to exchange information with) the SP's VPN database ('database reachability information', authentication information for the VPN database, encryption information for the configuration management channel, necessary credentials, etc.). Note that this is assumed to be present, and that setting up a secure management channel is outside of the scope of this document. - Peer CE devices : the IP addresses (in the SP's realm) of the peer CE devices that belong to the same VPN and to which a direct peering relationship is required. This information can be one IP address (e.g. in the case that the considered CE device is a 'spoke' in a 'hub&spoke' topology); this information can be the complete set of the IP addresses of all the other CE devices belonging to the same VPN (in the case of a 'fully meshed' topology); or this information can be a subset of the IP addresses of the CE devices belonging to the same VPN (for more complex topologies). - Security Information : the information needed to set up and maintain IPsec Security Associations with the Peer CE devices: - a set of transforms to use with IPsec (this information relates to the protection of the actual user data packets) for every Security Association. - tunnel property information for every SA that the considered CE participates in : traffic-driven tunnel or 'permanent' tunnel; tunnel mode or IPsec transport mode on an IP-in-IP tunnel; dynamic routing through the tunnel or not. - an IKE credential: (i) a pre-shared key or (ii) a private key/certificate pair and a certificate for a Certificate Authority (these are to be used to establish the IPsec security associations with the peer CE devices). This credential will be used for the generation of the keys for all the Security Associations the considered CE participates in. - VPN identifier: an identifier that uniquely identifies the VPN that the customer belongs to. The VPN identifier defined in [RFC2685] can be used for this purpose, or any unique identifier the PPVPN WG De Clercq et al. Expires December 2002 [Page 7] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 agrees upon. Note that the use of this VPN identifier will be necessary when one site is allowed to be part of more than one VPN, but that this specification does not currently specify that scenario. Another feature that may require the use of a unique VPN identifier is the IKE-based membership discovery mechanism described in section 3.2. This means that the VPN database (identified by a VPN identifier) of the SP's management system contains a list of all the CE devices belonging to the specified VPN, a description of the topology (full mesh, hub&spoke, etc.) and some security-related information related to every CE-to-CE tunnel. For interoperability reasons, a simple way to describe most of the common VPN topologies (full mesh, hub and spoke, partial mesh, etc.) should be defined. One very simple possibility is to define two types of sites: a site (or CE) is either a "hub" or a "spoke". The imposed behavior is the following: "hub" CEs have direct connectivity (i.e. a VPN tunnel) with all other "hub" CEs AND all "spoke" CEs in the same VPN; "spoke" CEs have direct connectivity ONLY with the "hub" CEs of the same VPN. As such, some important topologies can be constructed: - in a full mesh topology, all sites are "hub" sites - in a hub and spoke topology, the hub site is a "hub" while the spoke sites are "spokes" - other topologies are possible by making some sites "hub" sites and some sites "spoke" sites More complete schemas can be defined, and work is currently going on to achieve this goal [WANG-GROUPS]. Note that every CE also needs to be configured as to align the routing within the VPN with the tunneling between VPN sites. Section 4 describes these issues in more detail. 3.2 Updating configuration information One of the most important requirements relating to scalability for PP-VPNs is that the addition/deletion of a certain site to/from an existing VPN should be possible with a minimal of configuration effort. Manual configuration of the information related to the new site into every existing CE in the particular VPN is not a scalable option. An automatic mechanism for membership discovery/distribution is therefor required. The CE's IP address in the SP's realm, the VPN-ID of the VPN it De Clercq et al. Expires December 2002 [Page 8] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 belongs to, the 'role' of the new site in the existing topology (hub, spoke, etc.), and the necessary security information need to be configured in the concerned VPN database. Different methods to achieve the requested 'automatic' behavior are possible. This section describes some possible approaches but does not claim to be exhaustive. o using the SP's management system In this approach, the customer notifies the SP of the site to be added (out of band), and the SP's management system takes care of configuring its VPN database, takes care of provisioning the new CE device and takes care of updating the other CE devices that belong to the considered VPN. This provisioning also initiates the IPsec signaling between the new CE device and the existing CE devices. o pushing information from the SP's VPN database This approach can be seen as a more detailed description of an example of the previous approach. The customer first notifies the SP of the site to be added. The SP then configures its VPN database with the new membership information. This updating of the VPN database will trigger an information exchange between the SP's VPN database and the concerned CE devices (the new CE device and all the CE devices it has to peer with). This distribution of the updated information happens over a secured 'management channel', via a configuration protocol (such as COPS, DHCP, LDAP, SNMP, etc.). This method implies that the protocol used for the distribution of the configuration information to the CE devices should be usable in a "PUSH" mode from 'server' to 'client' (the management system - server - pushes the updated information to the concerned parties - clients -). It is to be noted that some information distribution technologies such as LDAP are natively not PUSH oriented. If the VPN configuration is stored using such a technology, it is necessary to define a mechanism that enables the CE to be triggered so as to fetch VPN configuration from its repository. Such a mechanism could be based on the use of SNMP messages sent to the CE device, with specific variables that trigger the fetch operation. o using the SA signaling protocol (IKE) The customer first notifies the SP of the site to be added. The SP De Clercq et al. Expires December 2002 [Page 9] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 then configures the new CE device and its VPN database (this could eventually be done manually). When the new CE device is configured with the required configuration information, it will start the IPsec signaling (via IKE or its successor) with the peer CE devices it is configured with. When a peer CE device (that already belongs to the considered VPN) receives an initial IPsec signaling message, it MUST check whether the initiating CE device belongs to the set of CE devices the considered CE needs to peer with, by looking at its VPN configuration information. If the initiating CE device does not belong to that set according to its VPN configuration information, the CE device needs to update its VPN configuration information by fetching the 'latest' VPN configuration information from the SP's VPN database (e.g. using a protocol for database retrieval such as COPS, DHCP, FTP, HTTP, LDAP, etc.) over the secured management channel. If after the updating of the VPN configuration information, the initiating CE device is still not part of the CE devices the considered CE device has to peer with, then the considered CE device MUST reject the incoming IPsec SA establishment. If the initiating CE device belongs to the set of CE devices that the considered CE device must peer with, then the incoming IPsec SA establishment should be accepted and an IPsec 'tunnel' should be established. This use of IKE may require the addition of a VPN ID to the IKE signaling messages, for example if CE devices are allowed to establish IPsec SAs within other contexts than the considered VPN context. 3.3 Setting up the VPN tunnels When one VPN site sends traffic to another VPN site belonging to the same VPN, these IP packets will be secured via IPsec. This means that an IPsec Security Association is needed between each pair of sites that directly exchange private VPN data with each other. The Internet Key Exchange protocol (IKE, [IKE]) or its successor will be used for the purpose of automatic setup of security associations between VPN sites within the same VPN. The IPsec SA setup can be triggered by the effective (data) traffic flow going from one site to another. In this case, the arrival of data packets at the CE device, coming from within the VPN site and going to another VPN site, will be noticed by the CE's IPsec or routing database, and an IKE exchange will be initiated to set up an IPsec secured connection between both parties. Once the secure tunnel is set up, the data packets can flow from one site to the other in a De Clercq et al. Expires December 2002 [Page 10] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 secure way. When no traffic flows for a certain duration of time, the secure tunnel will be torn down again. An advantage of this method is that an IPsec tunnel is only to be maintained when there is effectively traffic flowing. A disadvantage is the extra delay introduced for the traffic during IKE signaling and the interaction with the tunneled inter-site VPN routing information distribution. Provider provisioned CE-based IPsec VPNs as described by this document MAY use traffic-driven IPsec SA establishment when static inter-VPN site routing is used (no dynamic routing through the IPsec tunnels), see section 4.3. Provider provisioned CE-based IPsec VPNs as described by this document SHOULD NOT use traffic-driven IPsec SA establishment when dynamic site-to-site routing through the IPsec- secured tunnels is used. Alternatively, 'permanent' IPsec tunnels can be set up. These tunnels are always available and not traffic-triggered. It is then required to frequently re-negotiate the SA (via IKE) before the IPsec timers of the connection time out. The set-up of a 'permanent' IPsec tunnel can be triggered by the configuration of a new peer CE device within the same VPN. An advantage of this method is that the IPsec tunnel is always available, and that eventual traffic does not encounter an extra delay due to the setup time of a new SA. The use of 'permanent' IPsec tunnels is recommended for CE-based site-to-site VPNs. Provider provisioned CE-based IPsec VPNs as described by this document SHOULD use 'permanent' IPsec Security Associations when dynamic routing through IPsec-secured tunnels is used. The CE configuration determines whether traffic-driven SA establishment is used or not, and whether dynamic routing through IPsec tunnels is used or not. Note that IPsec tunnels are unidirectional in nature, but that usually the set up of one direction is accompanied by the set up of the reverse direction IPsec tunnel. This document describes two possible ways to use IPsec in CE-based VPN scenarios (see section 5): in 'transport mode' or in 'tunnel mode'. The CE configuration, IKE exchange and resulting SA's must specify which mode will be used. Note that the number of peer CE devices with which a specific CE device must have an IPsec connection to secure the data traffic, is dependent on the specific 'role' of the site in the considered VPN. A hub CE will for example have a larger number of tunnels to support than a spoke device. De Clercq et al. Expires December 2002 [Page 11] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 3.4 VPN resilience When IPsec tunnels are used for VPN site-to-site connection, many times it is important for a SP to provide its customers with connection resilience. The site-to-site VPN could be broken due to either a VPN link failure or a VPN node failure. VPN resilience support would require both VPN node redundancy and VPN link redundancy. To support VPN node redundancy, extra CE routers can be placed. Two deployed CE routers can provide fail-over and potentially load balancing support. It is possible that only one end of a VPN link has redundancy. For example, in a hub-spoke topology, the hub node is more important than a spoke node. It is not unusual to provide redundancy just to the hub router. The VPN link resilience support comes from two levels: IPsec tunnel level and physical link level. To provide physical link redundancy, a customer may subscribe two links from the SP. At the IPsec tunnel level, a customer may set up more than one IPsec tunnel. If the remote site has only a single CE device, both tunnels will terminate at the same device. If the remote site has two CE devices, each tunnel may terminate at different CE devices. When the redundant VPN links connect to two separate CE devices at the remote site, the user (or the SP) must decide how to split the traffic between the two VPN links. One choice is to designate one link as the primary link which carries all the traffic and leave the other idle link as the backup. The other choice is to divide the traffic between the two links. When two links are used, the important issue is to detect any link failure and divert the traffic to the healthy link. One way to achieve this is to run routing keep-alive through both tunnels. When a link is down, the routing protocol is able to discover the link outage and reroute the traffic accordingly. 4. Exchanging and maintaining VPN routes One of the requirements for PP CE-based VPNs is that dynamic routing is not only supported within individual VPN sites, but also between the different VPN sites of a specific VPN. This means that when a change in the routing information in a specific site occurs, the other sites that belong to the same VPN must be notified of that change. This document assumes that the routing within a VPN site is controlled by the VPN customer, and thus is outside of the scope of this specification. De Clercq et al. Expires December 2002 [Page 12] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 On the other hand, the role of the CE device with regards to routing, the interaction between the intra-site and inter-site routing and the relationship between routing and VPN tunnels are addressed in this specification. For more detailed aspects concerning issues with regards to routing and CE-based IPsec VPNs, we refer to [TOUCH], [WANG-ROUTING] and [KNIGHT]. 4.1 The CE device and VPN routing On the customer network side, a CE router connects to internal networks of an enterprise, where one or more subnets can reside. Many times, the CE router may interact with another internal router. The CE is involved in (i) the intra-site routing, (ii) the VPN tunnel termination, and (iii) the inter-site VPN routing. The CE device could be an integrated device providing both routing and IPsec tunnel termination. Sometimes, a dedicated VPN terminator may be used. Implementations in which the VPN tunnel terminator resides on a firewall are also very common. For the sake of simplicity, we assume that the CE router is an integrated device that participates in the intra-site routing (e.g. via an IGP) and at the same time terminates VPN tunnels. In the context of this document, the routing aspects within a VPN site (intra-site routing information distribution) are controlled by the VPN customer. The role of the SP is either to completely manage the inter-site reachability distribution or to configure the CE devices in such a way that the customer may transparently run routing protocols (or configure static routes) through the VPN tunnels. 4.2 IPsec and routing IPsec is a layer 3 tunneling protocol, which operates purely at the IP layer. The IETF IPsec Working Group specifies the IPsec standards ([IPSEC], [RFC2402], [RFC2406], [RFC2407], [RFC2408], and [IKE]). The interaction between IPsec and layer 3 routing is often troublesome and has been described in [WANG-ROUTING], [TOUCH] and [KNIGHT]. Depending on individual implementations, difficulty may arise when an IPsec user wants to support robust routing across IPsec VPNs sites. Details regarding the problems of the interaction between VPN routing and VPN tunneling, and some proposed solutions to counter these issues, can be found in [WANG-ROUTING], [TOUCH] and [KNIGHT]. 4.3 Mechanisms to exchange VPN routes between VPN sites This document describes two alternative mechanisms for the purpose of De Clercq et al. Expires December 2002 [Page 13] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 exchanging VPN routes between VPN sites. The mechanism that is in use for a particular tunnel is identified by the CE configuration information. 4.3.1 Tunneling routing information between CE devices through the IPsec tunnels. In the first mechanism to exchange VPN reachability information, normal routing protocol messages are tunneled through the IPsec- secured tunnels between peering sites. The CE-to-CE IPsec-secured tunnels between VPN sites are then being seen as point-to-point links by the customer networks and are inserted as such in the routing protocol functions of the CE devices. This means that when a change in the reachability occurs in one particular site, a routing protocol (such as RIP, OSPF, etc.) will take care of the distribution of the new reachability information within the site, but also to all other sites, through the VPN tunnels that the considered CE is peering with. When routing protocol messages are tunneled through the IPsec-secured tunnels ('dynamic routing through IPsec-secured tunnels') as per this section, IPsec transport mode secured IP-in-IP tunnels as per [TOUCH] SHOULD be used (in contrast to IPsec tunnel mode tunnels). Note that other approaches may use a combination of dynamic routing and IPsec tunnel mode tunnels, though it is not clear how interoperability will then be assured. Another issue to consider is the fact that using a traffic-driven tunnel establishment mechanism and at the same time using an approach whereby a routing protocol (with a keep-alive mechanism) runs on top of the VPN tunnel, does not seem currently applicable: the delay introduced by the tunnel establishment phase could lead to a loss of routing updates and the routing protocol's keep-alive mechanism could interact with the tunnel establishment in an undesired way. Therefor, when dynamic routing is used through IPsec-secured CE-to-CE tunnels, traffic-driven SA establishment SHOULD NOT be used. 4.3.2 Exchanging VPN reachability information via SP's management An alternative method to exchange reachability between sites within a VPN is by SP's management system involvement. When the reachability in a certain site changes, the considered CE device will need to communicate the new reachability information through the secure management channel to the SP's VPN database. This could be achieved either by having the CE device to push the new information to the SP's VPN database or by having the CE device to send some message to the SP's management system, which in turn can pull the new De Clercq et al. Expires December 2002 [Page 14] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 reachability information from the CE device. Once the SP's VPN database has been updated, this will trigger the distribution of this updated information from the SP's VPN database to all the appropriate CE devices by the management system, using the management protocol over the secured management connections. When CE-to-CE IPsec tunnel mode tunnels are used (with the complete SPD-controlled filtering), a management-based inter-site reachability information distribution SHOULD be used. When traffic-driven SA establishment is used, a management-based inter-site reachability information distribution SHOULD be used. Within the sites themselves, the CE device may then inject the updated reachability information into the local routing protocol function. Note that this method does not require the use of the same 'management protocol' for the configuration of the CE device and for the dynamic exchange of reachability information. A dedicated protocol may be used for that purpose. 4.3.3 Applicability of the mechanisms to exchange VPN routes between the VPN sites The 'tunneling approach' (as described in section 4.3.1) does not require a new interaction between the customer and the SP and offers transparent routing features to the VPN customer. Existing routing protocols can be used and the SP is not involved with the propagation of routing information updates. It prohibits some specific IPsec features though (such as traffic-initiated SA establishment, and the complete use of SPD-based filtering). The 'management approach' (as described in section 4.3.2) allows for the full use of specific IPsec features, but requires a new interaction between the CE device and the SP, and breaks the VPN customer's routing transparency. The SP participates in the inter- domain exchange of routing information. 4.4 Relationship between VPN membership, VPN tunnel status and routing When VPN membership changes, VPN tunnels may need to be intentionally deleted, and this change needs to be reflected in the routing information of all sites belonging to the VPN (see section 6). But VPN tunnels can also un-intentionally break for a variety of reasons. This should be detected by the SP management and reflected in a possible change of VPN membership. The routing within the VPN De Clercq et al. Expires December 2002 [Page 15] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 will probably also be affected and updated information must be distributed over all VPN sites. 5. Tunneling IP traffic (user data) among VPN sites This section describes the processes that an IP packet that is sent from one VPN site to another will go through. This is dependent on the way that IPsec is used. This document describes two possible ways to use IPsec in CE-based VPN implementations: IPsec in tunnel mode, and IPsec in transport mode. An IP packet that is sent by an IP device in a certain site and destined for an IP device in another site belonging to the same VPN, will be forwarded as follows. The device in the sending site sends an IP packet (using a private address space) on its LAN network. The next hop for this destination IP address will (at some point in time) be the site's CE device (according to the routing/forwarding in the VPN site). The processing by the CE device now is dependent on the implemented mode for IPsec. The use of IPsec in tunnel mode has the advantage that the complete range of SPD-checks remain usuable, but has the disadvantage that dynamic routing through the tunnels is not supported. The use of IPsec in transport mode secured IP-in-IP tunnels has the advantage that dynamic routing through the tunnels is fully supported, but has the disadvantage that the complete range of SPD-checks is not supported. Note that the following description is not meant to specify an implementation strategy; any implementation procedure wich produces the same results is acceptable. o IPsec in tunnel mode When IPsec is used in tunnel mode in this context, the IPsec driver in the CE device must do the following: - analyze the private IP packets arriving from within the site and select/setup an appropriate SA with the appropriate destination CE device. - authenticate and/or encrypt the private IP packet according to the (tunnel mode-specific) rules described in the SA, AND encapsulate the packet in an IPsec header AND encapsulate the packet in a new 'outer' IP header. This 'outer' IP header has the CE's non-private (i.e. routable in the SP's realm) IP address in the source IP address field and the destination CE's non-private De Clercq et al. Expires December 2002 [Page 16] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 (i.e. routable in the SP's realm) IP address in the destination IP address field. o IPsec in transport mode (see also [TOUCH] for a detailed specification) When IPsec is used in transport mode in this context, the CE device must first analyze the private IP packets arriving from within the site and select the appropriate destination CE, based on the routing/forwarding information. The CE device then encapsulates the private IP packet into a new IP packet (IP-in-IP encapsulation/tunneling), with the own non-private (i.e. routable in the SP's realm) IP address in the source address field of the new header and the destination CE's non-private (i.e. routable in the SP's realm) IP address in the destination address field of the new header. The CE device then processes this new IP packet to its IPsec driver. The IPsec driver in the CE device must then do the following: - analyze the IP packets that have been IP-in-IP encapsulated and select the appropriate SA (based on the packet's outer header destination address). - authenticate and/or encrypt the private IP packet according to the (transport mode-specific) rules described in the SA and insert an IPsec header (according to IPsec in transport mode). The CE device then sends the IPsec packet to the PE device, and the IPsec packet will then be forwarded using 'normal' IP forwarding across the SP's network, based on the outer header's IP destination address, that is the destination CE's 'global' (i.e. routable in the SP's realm) IP address. The egress PE device will also only examine the outer IP header and send the IP(sec) packet to the destined CE device. The egress CE device will recognize itself as the destination node (the IP packet has the CE's IP address in the outer IP destination address field). The destination CE's IPsec driver will then, based on the appropriate Security Association (identified by the packet's SPI field in the IPsec header), perform IPsec authentication and/or decryption. Dependent on whether tunnel mode or transport mode IPsec is used, the packet will be decapsulated by the IPsec driver itself or sent to the IP-in-IP decapsulation function. The resulting (private) IP packet will then be further processed in the CE's IP forwarding table and send on the LAN network to the appropriate destination IP device. Note that IPsec tunnels might unintentionally terminate or break. De Clercq et al. Expires December 2002 [Page 17] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 This may have serious consequences if VPN membership and VPN routing information is not changed accordingly within the VPN. Indeed, the unnoticed termination of a VPN tunnel can result in the creation of black holes. This means that a mechanism must exist to monitor the state of the VPN tunnels. The following possibilities are identified: (i) the use of an IPsec-specific keep-alive mechanism [IPSEC-DPD]; (ii) when a routing protocol runs on top of the IPsec VPN tunnel (see section 4.3.1), the routing protocol's keep-alive mechanism can serve that purpose; and (iii) the SP's management system could directly control the state of the VPN tunnels. 6. Deleting an existing VPN site When the VPN customer decides to delete an existing site from a certain VPN, the customer first needs to inform the SP. This can happen automatically via a "PUSH" operation with the management protocol by the CE device to the SP VPN database, or via any other mechanism that the VPN customer can use (e.g. out-of-band). In analogy with the configuration update mechanisms described in section 3.2, multiple approaches exist to delete a specific site from an existing VPN. The SP can gracefully tear down all the concerned IPsec tunnels at both ends via either manual configuration or via a re-provisioning of all impacted CE devices with the used management system. IKE will then be used to tear down the IPsec security associations. Alternatively, the IKE sessions could be just timed out. Alternatively, when IKE-based discovery is used, the SP will update its VPN database and will provision the to-be deleted CE to tear down its IPsec connections via IKE. The peering CE devices will then update their VPN configuration information as described in section 3.2. In the meantime, if a routing protocol runs on top of the VPN tunnels (and keep-alives are used), it will discover the topology change and update the necessary routing information automatically. If on the other hand, the SP management takes care of the inter-site routing information distribution, it will have to update the routes in the affected CEs when VPN tunnels are deleted. 7. Provider provisioned CE-based VPNs and NAT NAT provides address translation between two realms, such as between De Clercq et al. Expires December 2002 [Page 18] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 the private address space and the public address space. For site-to- site intranet VPN, the tunneled data usually remain in the same customer network address space. NAT is usually not required, unless two sites have overlapping address spaces. In that case, NAT can be used to solve the address-overlapping problem. In normal IPsec tunnel mode operation, after the user data is encapsulated by IPsec, the resulted packets are protected by packet encryption and/or authentication. Any further NAT changes on the packets will be detected at the receiving tunnel end, resulting in the packets being dropped. Currently the IPsec Working Group is working on a new mechanism so that IPsec packet can be safely NATed. Before the IPsec WG finalizes the IPsec over NAT standards, this draft assumes that there is no NAT function performed between the two IPsec tunnel end points. The scenario in which NAT applies is when the CE router serves a split stack function and provides both site-to-site VPN connection and direct Internet access. In this case, customer address space traffic is separated into two streams, one part for site-to-site private traffic and one part for direct Internet traffic. In this case the CE device performs NAT processing for the direct Internet traffic. The NAT function performed by the CE router takes care of the customer address space to public Internet address space conversion. Note that in the case that a certain site has both VPN and Internet access, a firewall should be configured at the site's CE device. 8. Extranet functionality with provider provisioned CE-based VPNs For the time being, this document deals mostly with intranet functionality provided by CE-based VPNs. The provisioning of an extranet service will affect the routing, tunnel topology and security features of the concepts described so far. The PP CE-based extranet VPN functionality is TBD. 9. Quality of Service TBD 10. Security Considerations The security aspects of what is presented in this document are implicitly discussed in most of the sections. This draft is for a large part focussing on security aspects. Note that the security of the mechanisms presented here is highly dependent on the following factors: De Clercq et al. Expires December 2002 [Page 19] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 - the security of the 'management channel', used by the management protocol to configure the VPN CE devices. - the security of the CE-device itself - the security aspects of the credentials: the IPsec credential must be generated, provisioned, updated, and stored securely - for a VPN with a complex topology, every tunnel must use the same grade of security strength, otherwise, a single weak link degrades the whole VPN 11. Acknowledgements The authors would like to thank the following persons for their valuable contributions to this document: Mahadevan Iyer, Cheng-Yin Lee, Lars Eggert, Brian Gleeson, Archana Khetan, Paul Knight, Sankar Ramamoorthi, Michael Choung Shieh, Joe Touch, Eric Vyncke, S. Felix Wu, Yu-Shun Wang, Alex Zinin. 12. References [FRAMEWORK] Callon, R. et al., "A Framework for Provider Provisioned Virtual Private Networks", draft-ietf-ppvpn-framework-0x.txt, Work in progress [GRE-CE] Khetan, A., et al., "Use of GRE for routing support in IPsec VPNs", draft-khetan-sp-greipsec, Work in progress [IKE] Harkins, D. and Carrel, D., "The Internet Key Exchange (IKE)", November 1998, RFC 2409 [IPSEC] Kent, S., Atkinson, R., "Security Architecture for the Internet Protocol", November 1998, RFC 2401 [IPSEC-DPD] Huang, G., Beaulieu, S., Rochefort, D., "A Traffic-Based Method of Detecting Dead IKE Peers", draft-ietf-ipsec-dpd-0x.txt, Work in progress [KNIGHT] Knight, P., Gleeson, B., "A Method to Signal and Provide Dynamic Routing in IPsec VPNs", draft-knight-ppvpn-ipsec-dynroute, Work in progress [LEE-DHCP] Lee, C.Y., "Customer Equipment Auto-configuration", March 2002, work in progress [RFC2402] Kent, S., Atkinson, R., "IP Authentication Header", De Clercq et al. Expires December 2002 [Page 20] Internet Draft draft-ietf-ppvpn-ce-based-02.txt June 2002 November 1998, RFC 2402 [RFC2406] Kent, S., Atkinson, R., "IP Encapsulating Security Payload (ESP)", November 1998, RFC 2406 [RFC2407] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP" November 1998, RFC 2407 [RFC2408] Maughan, D., et al., "Internet Security Association and Key Management Protocol (ISAKMP)", November 1998, RFC 2408 [TOUCH] Touch, J. and Eggert, L., "Use of IPSEC transport mode for Virtual Networks", draft-touch-ipsec-vpn-0x.txt, Work in progress [WANG-ROUTING] Wang, C., Beadles, M., Khetan, A., "Routing Support in CE-based IPsec VPNs", draft-wang-cevpn-routing-0x.txt, November 2001, Work in progress [WANG-GROUPS] Wang, C., "VPN Group Support for CE-based IPsec VPN", draft-wang-cevpn-group-0x.txt, November 2001, Work in progress 13. Authors' Addresses Jeremy De Clercq Alcatel Fr. Wellesplein 1, 2018 Antwerpen, Belgium E-mail: jeremy.de_clercq@alcatel.be Olivier Paridaens Alcatel Fr. Wellesplein 1, 2018 Antwerpen, Belgium E-mail: olivier.paridaens@alcatel.be Andrew Krywaniuk Alcatel Networks Corporation 600 March Road Kanata, ON Canada, K2K 2E6 +1 (613) 784-4237 E-mail: andrew.krywaniuk@alcatel.com Cliff Wang SmartPipes 565 Metro Place South Dublin, OH 43017, USA Phone: 1-614-923-6241 Email: cwang@smartpipes.com De Clercq et al. Expires December 2002 [Page 21]