2.3.7 Layer 3 Virtual Private Networks (l3vpn)

NOTE: This charter is a snapshot of the 58th IETF Meeting in Minneapolis, Minnesota USA. It may now be out-of-date.

Last Modified: 2003-09-25

Rick Wilder <rick@rhwilder.net>
Ross Callon <rcallon@juniper.net>
Ronald Bonica <ronald.p.bonica@mci.com>
Internet Area Director(s):
Thomas Narten <narten@us.ibm.com>
Margaret Wasserman <margaret.wasserman@nokia.com>
Internet Area Advisor:
Thomas Narten <narten@us.ibm.com>
Technical Advisor(s):
Alex Zinin <zinin@psg.com>
Mailing Lists:
General Discussion: l3vpn@ietf.org
To Subscribe: https://www1.ietf.org/mailman/listinfo/l3vpn
Archive: https://www1.ietf.org/mail-archive/working-groups/l3vpn/current/maillist.html
Description of Working Group:
Alex Zinin is the routing advisor.

This working group is responsible for defining and specifying a limited number of solutions for supporting provider-provisioned Layer-3 (routed) Virtual Private Networks (L3VPNs).

The WG is responsible for standardization of the following solutions: 1. BGP/MPLS IP VPNs (based on RFC 2547) 2. IP VPNs using Virtual Routers 3. CE-based VPNs using IPSEC

The following VPN deployment scenarios will be considered by the WG:

1. Internet-wide: VPN sites attached to arbitratry points in the Internet

2. Single SP/single AS: VPN sites attached to the network of a single provider within the scope of a single AS

3. Single SP/multiple AS'es: VPN sites attached to the network of a single provider consisting of multiple AS'es

4. Cooperating SPs: VPN sites attached to networks of different providers that cooperate with each other to provide VPN service

As part of this effort the WG will work on the following tasks (additional work items will require rechartering):

1. Requirements and framework for Layer 3 VPNs 2. Solution documents for each approach listed above (including applicability statements) 3. MIB definitions for each approach 4. Security mechanisms for each approach

As a general rule, the WG will not create new protocols, but will provide functional requirements for extensions of the existing protocols that will be discussed in the protocol-specific WGs. L3VPN WG will review proposed protocol extensions for L3VPNs before they are recommended to appropriate protocol-specific WGs.

Multicast and QoS support are excluded from the charter at this time. They may be considered for inclusion in an updated charter at a later time. Future work items may also include OAM support.

Goals and Milestones:
Done  Submit L3 VPN Requirements Document to IESG for publication as Info
Done  Submit Generic Requirements Document to IESG for publication as Info
Done  Submit L3 VPN Framework Document to IESG for publication as Info
Dec 03  Submit VPN Security Analysis to IESG for publication as Info (draft-fang-ppvpn-security-framework-00)
Dec 03  Submit BGP/MPLS VPNs specification and AS to IESG for publication as PS (draft-ietf-ppvpn-rfc2547bis-03, draft-ietf-ppvpn-as2547-01)
Dec 03  Submit CE-based specification and AS to IESG for publication as PS (draft-ietf-ppvpn-ce-based-03, draft-declercq-ppvpn-ce-based-sol-00, draft-declercq-ppvpn-ce-based-as-01)
Dec 03  Submit Virtual Router specification and AS to IESG for publication as PS (draft-ietf-ppvpn-vpn-vr-03, draft-ietf-ppvpn-as-vr-01)
Jan 04  Submit VPN MIB Textual Conventions to IESG for publication as PS (draft-ietf-ppvpn-tc-mib-02)
Jan 04  Submit MPLS/BGP VPN MIB to IESG for publication as PS (draft-ietf-ppvpn-mpls-vpn-mib-05)
Jan 04  Submit VR MIB to IESG for publication as PS (draft-ietf-ppvpn-vr-mib-04)
Jan 04  Submit BGP as an Auto-Discovery Mechanism for publication as PS (draft-ietf-ppvpn-bgpvpn-auto-05.txt)
Mar 04  Submit specification of using IPSEC for PE-PE encapsulation in BGP/MPLS VPNs to IESG for publication as PS (draft-ietf-ppvpn-ipsec-2547-03)
Mar 04  Submit specification of using GRE for PE-PE encapsulation in BGP/MPLS VPNs to IESG for publication as PS (draft-ietf-ppvpn-gre-ip-2547-02)
Mar 04  Submit specification of CE Route Authentication to IESG for publication as PS (draft-ietf-ppvpn-l3vpn-auth-03)
Mar 04  Submit specification of OSPF as the PE/CE Protocol in BGP/MPLS VPNs for publication (draft-rosen-vpns-ospf-bgp-mpls-06.txt)
  • - draft-ietf-l3vpn-requirements-00.txt
  • - draft-ietf-l3vpn-framework-00.txt
  • - draft-ietf-l3vpn-ce-based-01.txt
  • - draft-ietf-l3vpn-bgp-ipv6-01.txt
  • - draft-ietf-l3vpn-mpls-vpn-mib-00.txt
  • - draft-ietf-l3vpn-rfc2547bis-01.txt
  • - draft-ietf-l3vpn-ipsec-2547-01.txt
  • - draft-ietf-l3vpn-ospf-2547-00.txt
  • - draft-ietf-l3vpn-gre-ip-2547-00.txt
  • - draft-ietf-l3vpn-bgpvpn-auto-00.txt
  • - draft-ietf-l3vpn-vpn-vr-01.txt
  • - draft-ietf-l3vpn-vr-mib-00.txt
  • - draft-ietf-l3vpn-tc-mib-00.txt
  • - draft-ietf-l3vpn-as2547-03.txt
  • - draft-ietf-l3vpn-applicability-guidelines-00.txt
  • - draft-ietf-l3vpn-as-vr-00.txt
  • - draft-ietf-l3vpn-generic-reqts-01.txt
  • - draft-ietf-l3vpn-mgt-fwk-00.txt
  • - draft-ietf-l3vpn-l3vpn-auth-00.txt
  • - draft-ietf-l3vpn-security-framework-00.txt
  • No Request For Comments

    Current Meeting Report

    L3VPN Working Group
    Wed 11/12/03 9:00am - 10:00am
            Agenda Bashing                  (5 minutes - chairs)
            Working Group Document Status   (15 minutes - Ross Callon)
            Charter: Ongoing/Future Work    (15 minutes - Ron Bonica)
            MPLS over L2TP                  (15 minutes - Mark Townsley)
            CE member authentication        (20 minutes)
    1) Document status (Ross Callon) 
            L3 Framework 
                    IESG has approved for publication
            L3 Service req'ts 
                    IESG Review and/or update based on comments
            Generic req'ts 
                    IESG Review and/or update based on comments
            Security Framework
                    Passed WG last call; 
                    Being updated based on security directorate comments
            BGP/MPLS IP VPNs and  AS 
                    Passed l3vpn working group last call
                    Is currently in IDR working group last call
            VR Architecture  and  AS
    <draft-ietf-l3vpn-vpn-vr-01.txt> & 
                    <draft-ietf-l3vpn-as-vr-00.txt >
                    Base document is ready for WG last call
                    AS update expected soon after IETF
                    Both should go to WG last call as soon as AS is ready
            CE/IPSec Architecture  and  AS 
    <draft-ietf-l3vpn-ce-based-01.txt> & 
                    Recent update to address mailing list comments:
                            Clarify CE operation in two distinct routing 
    spaces and management spaces
                            More description of tunnel establishment 
                            More description of Internet connectivity
                            Awaiting update to AS
                            Security considerations and template
                    WG Last call expected soon
            Guidelines of Applicability Statements for PPVPNs
                    Long term disposition is still tbd
            MPLS/BGP MIB  
                    Needs update & MIB Doctor review
                    WG last call should occur relatively soon thereafter
            Virtual Router MIB  
                    same status as MPLS/BGP MIB
            CE MIB 
                    TBD (do we need a MIB? - question to be addressed on mail 
            Req'ts for MPLS MIBs 
                    L3vpn issues have been resolved. 
            Framework for PPVPN Op.& Man.  
                    Accepted as working group document at last IETF
                    Comments to l3vpn mailing list
            Textual Conventions 
                    "Very Stable". 
            2547 for IPv6 
                    Charter is being updated to include IPv6
            PE-PE IPsec for 2547 
            PE-PE GRE or IP for 2547 
            BGP as Auto-Discovery  
                    All of above are stable, no significant recent updates
            CE-to-CE Member Verif'n 
    <draft-ietf-ppvpn-l3vpn-auth-03.txt> and 
                    Possibility to reconcile the two approaches in a single 
    document - see below.
            OSPF as PE/CE Protocol in BGP/MPLS VPNs 
                    Currently in WG last call
                    Last call extended to 11/21/2003 (5pm EST)
                    Related document 
    <draft-ietf-ospf-2547-dnbit-01.txt> in last call in the OSPF working 
    2)  Charter (Ron Bonica) 
            We have made progress and are nearing completion of many of our 
    original tasks (eg, Framework and Requirements Documents completed, 
    Security Frameworks passed WG last call, BGP/MPLS base spec and AS passed 
    l3vpn last call and are in IDR last call, ...). It is therefore a good time 
    to think about future work. 
            We propose updating the Charter for additional work items. We have 
    proposed to the IESG an update which adds support for IPv6. As the 
    current set of documents is completed, we will propose to also add 
    charter support for Multicast.
    3) MPLS over L2TPv3 with BGP L3VPNs (Mark Townsley) 
            (see presentation)
            Proposal:  Edit current contribution to include BGP signaling 
    Along with L2TP formats. Use this to create a new document which Could 
    become draft-ietf-l3vpn-l2tpv3-2547-00.txt (if accepted as a working group 
            Note that this would be in addition to existing documents:
    1)      Yakov: There were some comments in opposition to this when it was 
    presented in the MPLS WG session. Security is an issue
                    a) Security review is needed (by security 
                    b) The solution is by no means specific to 2547 ­it is 
    applicable to any multipoint-to-point application.
                    c) The document needs to explain why extending BGP for 
    multipoint-to-point L2TP signaling is preferred over the existing L2TP 
    signaling (or extending L2TP to provide multipoint-to-point 
    2)      Ross: Why do we need another encapsulation? We already have 
    encapsulation over MPLS, GRE, and IPsec.   Does this have an advantage that 
    these other encapsulations don't?
                    (response) There are already 4 encapsulations
                                    MPLS over MPLS
                                    MPLS over IPsec
                                    MPLS over GRE
                                    MPLS over IP 
                    (Eric Rosen) We already have many many different tunnel 
    types in use. Service providers have preferences for each. We need a 
    specification for each. 
                    Agreement: we should include the reasons why the choices are 
    being made.
            Mark: The intention is to update the document before it would be a 
    working group document. 
            Ross:  We can't accept a document as a working group document 
    until we have the document. Can you send an outline to the mailing list 
    with a description of what would be in the extended draft with the 
    articulation of the issues? 
            Mark: Yes, this makes sense.
            Agreement: Will be discussed on the list. 
    3) Reconciling the L3VPN authentication Drafts (also known as "Singing 
    Kumbaya"),  M Behringer, M. Bonica
    We currently have two drafts related to authentication (one a working 
    group document, one an individual contribution):
                    1) Draft-ietf-l3vpn-l3vpn-auth
                            - provides the method through which the 
    customers can detect SP misconfiguration 
                            - Does nothing to prevent 
                            - delegates authentication task to the CE
                            - requires new functionality on the CE
                    2) Draft Behringer-mpls-vpn-auth
                            - reduces the probabilty of SP 
                            - Does not allow customer to detect 
    misconfiguration if it does occur
                            - delegates the authentication task to the PE
                           - requires nothing new on the CE
    We have two drafts. Options are: merge, let them both live, kill one.
    We propose to merge the drafts. 
                    1) PE obtains the token from CE
                            original draft: BGP extended community received 
    from CE
                            new protocol with CE
                            Hashed authentication key from CE-PE routing 
                    2) PE distributes token throughout SP network
                    3) PE 
                            - Distribute to CE using BGP community or new 
                            - User decides whether or not to 
                    1) Converge on a common mechanisms for distribution
                                    - Use a new BGP attribute
                    2) Add a third mechanism for obtaining token to 
                            - Derive the token from the PE-CE MD5 key
                    3) Add a third application for the key at the egress PE
                            - Use it to decide whether to install the route
    Discussion:  (Ross Callon) Reasonable to update document. Comments on the 
    (Ron Bonica)  We would appreciate comments from Carrier's and Service 
    4) Michael Beringer: 
    He wants to know what the disposition will be of his document 
    "Analysis of the Security of BGP/MPLS IP VPNs". He requests that people 
    send comments on the draft to the mailing list. 
    Ross: This makes sense. Please review the document to determine whether it 
    should become a working group document with the intention of being 
    published as Information. Send comments to the list. Requested that 
    Michael send a message to the mail list requesting feedback on the 
    beringer security draft. Michael agrees. 


    Status of L3 PPVPN Working Group Documents
    L3VPN Charter
    MPLS over L2TPv3 for support of RFC 2547-based BGP/MPLS IP VPNs
    Reconciling the L3VPN Authentication Drafts