| < draft-ietf-l2vpn-l2-framework-04.txt | draft-ietf-l2vpn-l2-framework-05.txt > | |||
|---|---|---|---|---|
| Network Working Group Loa Andersson | Network Working Group Loa Andersson | |||
| Internet Draft | Internet Draft Acreo AB | |||
| Expiration Date: September 2004 Eric C. Rosen | Expiration Date: December 2004 | |||
| Eric C. Rosen | ||||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| Editors | Editors | |||
| March 2004 | June 2004 | |||
| Framework for Layer 2 Virtual Private Networks (L2VPNs) | Framework for Layer 2 Virtual Private Networks (L2VPNs) | |||
| draft-ietf-l2vpn-l2-framework-04.txt | draft-ietf-l2vpn-l2-framework-05.txt | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is subject to all provisions | This document is an Internet-Draft and is subject to all provisions | |||
| of Section 10 of RFC2026. | of Section 10 of RFC2026. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that other | Task Force (IETF), its areas, and its working groups. Note that other | |||
| groups may also distribute working documents as Internet-Drafts. | groups may also distribute working documents as Internet-Drafts. | |||
| skipping to change at page 3, line 8 ¶ | skipping to change at page 3, line 8 ¶ | |||
| 3.3.3 Heterogeneous Pseudowires .......................... 29 | 3.3.3 Heterogeneous Pseudowires .......................... 29 | |||
| 3.4 VPLS Emulated LANs ................................. 30 | 3.4 VPLS Emulated LANs ................................. 30 | |||
| 3.4.1 VPLS Overlay Topologies and Forwarding ............. 32 | 3.4.1 VPLS Overlay Topologies and Forwarding ............. 32 | |||
| 3.4.2 Provisioning and Auto-Discovery .................... 34 | 3.4.2 Provisioning and Auto-Discovery .................... 34 | |||
| 3.4.3 Distributed PE ..................................... 34 | 3.4.3 Distributed PE ..................................... 34 | |||
| 3.4.4 Scaling issues in VPLS deployment .................. 37 | 3.4.4 Scaling issues in VPLS deployment .................. 37 | |||
| 3.5 IP-only LAN-like Service (IPLS) .................... 37 | 3.5 IP-only LAN-like Service (IPLS) .................... 37 | |||
| 4 Security Considerations ............................ 38 | 4 Security Considerations ............................ 38 | |||
| 4.1 Provider Network Security Issues ................... 39 | 4.1 Provider Network Security Issues ................... 39 | |||
| 4.2 Provider-Customer Network Security Issues .......... 40 | 4.2 Provider-Customer Network Security Issues .......... 40 | |||
| 4.3 Customer Network Security Issues ................... 40 | 4.3 Customer Network Security Issues ................... 41 | |||
| 5 Authors and Acknowledgments ........................ 41 | 5 Authors and Acknowledgments ........................ 42 | |||
| 6 Authors' Contact Information ....................... 42 | 6 Authors' Contact Information ....................... 42 | |||
| 7 Normative References ............................... 43 | 7 Normative References ............................... 44 | |||
| 8 Informative References ............................. 44 | 8 Informative References ............................. 44 | |||
| 9 Intellectual Property Notice ....................... 44 | 9 Intellectual Property Notice ....................... 44 | |||
| 10 Copyright Notice ................................... 45 | 10 Copyright Notice ................................... 45 | |||
| 1. Introduction | 1. Introduction | |||
| 1.1. Conventions used in this document | 1.1. Conventions used in this document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| skipping to change at page 20, line 44 ¶ | skipping to change at page 20, line 44 ¶ | |||
| following implications: | following implications: | |||
| - The signaling protocol that sets up the PWs must be able to cross | - The signaling protocol that sets up the PWs must be able to cross | |||
| network boundaries. Of course, all IP-based protocols have this | network boundaries. Of course, all IP-based protocols have this | |||
| capability. | capability. | |||
| - The two PEs at the PW endpoints must be addressable and routable | - The two PEs at the PW endpoints must be addressable and routable | |||
| from each other. | from each other. | |||
| - The signaling protocol needs to allow each PW endpoint to | - The signaling protocol needs to allow each PW endpoint to | |||
| authenticate the other. | authenticate the other. To make use of the authentication | |||
| capability, there would also need to be some method of key | ||||
| distribution which is acceptable to both administrations. | ||||
| 3.2.7. Service Quality | 3.2.7. Service Quality | |||
| Service Quality refers to the ability for the network to deliver a | Service Quality refers to the ability for the network to deliver a | |||
| Service level Specification (SLS) for service attributes such as | Service level Specification (SLS) for service attributes such as | |||
| protection, security and Quality of Service (QoS). The service | protection, security and Quality of Service (QoS). The service | |||
| quality provided depends on the subscriber's requirements, and can be | quality provided depends on the subscriber's requirements, and can be | |||
| characterized by a number of performance metrics. | characterized by a number of performance metrics. | |||
| The necessary Service Quality must be provided on the ACs as well as | The necessary Service Quality must be provided on the ACs as well as | |||
| skipping to change at page 40, line 11 ¶ | skipping to change at page 40, line 11 ¶ | |||
| To limit the effect of Denial of Service attacks on a PE, some means | To limit the effect of Denial of Service attacks on a PE, some means | |||
| of limiting the rate of processing of control plane traffic may be | of limiting the rate of processing of control plane traffic may be | |||
| desirable. | desirable. | |||
| Unlike authentication and integrity, privacy of the signaling | Unlike authentication and integrity, privacy of the signaling | |||
| messages is not usually considered very important. If it is needed, | messages is not usually considered very important. If it is needed, | |||
| the signaling messages can be sent through an IPsec connection. | the signaling messages can be sent through an IPsec connection. | |||
| If the PE cannot efficiently handle high volumes of multicast traffic | If the PE cannot efficiently handle high volumes of multicast traffic | |||
| for sustained periods, then it may be possible to launch a denial of | for sustained periods, then it may be possible to launch a denial of | |||
| service attack on a VPLS service by sending a PE excessive amounts of | service attack on a VPLS service by sending a PE a large number of | |||
| layer 2 multicast traffic. | frames which have either a multicast address or an unknown MAC | |||
| address in their MAC Destination Address fields. A similar denial | ||||
| of service attack can be mounted by sending a PE a large number of | ||||
| frames with bogus MAC Source Address fields. The bogus addresses can | ||||
| fill the MAC address tables in the PEs, with the result that frames | ||||
| destined to the real MAC addresses always get flooded (i.e., | ||||
| multicast). | ||||
| 4.2. Provider-Customer Network Security Issues | 4.2. Provider-Customer Network Security Issues | |||
| There are a number of security issues related to the access network | There are a number of security issues related to the access network | |||
| between the provider and the customer. This is also traditionally a | between the provider and the customer. This is also traditionally a | |||
| network that is hard to protect physically. | network that is hard to protect physically. | |||
| Typical security issues on the provider-customer interface include | Typical security issues on the provider-customer interface include | |||
| the following: | the following: | |||
| skipping to change at page 41, line 31 ¶ | skipping to change at page 41, line 41 ¶ | |||
| alternative L2VPN schemes which are based not upon an overlay of PWs, | alternative L2VPN schemes which are based not upon an overlay of PWs, | |||
| but upon an overlay of IPsec tunnels whose endpoints are at the | but upon an overlay of IPsec tunnels whose endpoints are at the | |||
| customer sites; however, such alternatives are not discussed in this | customer sites; however, such alternatives are not discussed in this | |||
| document. | document. | |||
| If there is CE-to-CE control traffic (e.g., BPDUs), on whose | If there is CE-to-CE control traffic (e.g., BPDUs), on whose | |||
| integrity the customer's own layer 2 network depends, it may be | integrity the customer's own layer 2 network depends, it may be | |||
| advisable to send the control traffic using some more secure | advisable to send the control traffic using some more secure | |||
| mechanism than is used for the data traffic. | mechanism than is used for the data traffic. | |||
| In general, any means of mounting a denial of service attack on | ||||
| bridged networks generally can also be used to mount a denial of | ||||
| service attack on the VPLS service for a particular customer. We | ||||
| have discussed here only those attacks which rely on features of the | ||||
| VPLS service which are not shared by bridged networks in general. | ||||
| 5. Authors and Acknowledgments | 5. Authors and Acknowledgments | |||
| This document is the outcome of discussions within a Layer 2 VPN | This document is the outcome of discussions within a Layer 2 VPN | |||
| design team, all of whose members could be considered to be co- | design team, all of whose members could be considered to be co- | |||
| authors. Specifically, the co-authors are Loa Andersson, Waldemar | authors. Specifically, the co-authors are Loa Andersson, Waldemar | |||
| Augustyn, Marty Borden, Hamid Ould-Brahim, Juha Heinanen, Kireeti | Augustyn, Marty Borden, Hamid Ould-Brahim, Juha Heinanen, Kireeti | |||
| Kompella, Vach Kompella, Marc Lasserre, Pascal Menezes, Vasile | Kompella, Vach Kompella, Marc Lasserre, Pascal Menezes, Vasile | |||
| Radoaca, Eric Rosen, and Tissa Senevirathne. | Radoaca, Eric Rosen, and Tissa Senevirathne. | |||
| The authors would like to thank Marco Carugi for cooperation in | The authors would like to thank Marco Carugi for cooperation in | |||
| setting up context, working directions and taking time for | setting up context, working directions and taking time for | |||
| discussions in this space, Tove Madsen and Pekka Savola for valuable | discussions in this space, Tove Madsen and Pekka Savola for valuable | |||
| input and reviews, and Norm Finn, Matt Squires, and Ali Sajassi for | input and reviews, and Norm Finn, Matt Squires, and Ali Sajassi for | |||
| valuable discussion of the VPLS issues. | valuable discussion of the VPLS issues. | |||
| 6. Authors' Contact Information | 6. Authors' Contact Information | |||
| Loa Andersson | Loa Andersson | |||
| Email: loa@pi.se | Acreo AB | |||
| Email: loa@acreo.se | ||||
| Eric C. Rosen | Eric C. Rosen | |||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| 1414 Massachusetts Avenue | 1414 Massachusetts Avenue | |||
| Boxborough, MA 01719 | Boxborough, MA 01719 | |||
| Email: erosen@cisco.com | Email: erosen@cisco.com | |||
| Waldemar Augustyn | Waldemar Augustyn | |||
| Email: waldemar@nxp.com | Email: waldemar@nxp.com | |||
| End of changes. 9 change blocks. | ||||
| 11 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||