Internet Engineering Task Force Juha Heinanen INTERNET DRAFT Telia Finland, Inc. Expires June 1998 December 1997 VPN support for MPLS Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Abstract This document discusses the need to include support for Virtual Private Networks in MPLS and gives a high-level description on how it can be accomplished. 1. Introduction The Framework for MPLS document [1] contains a long list of benefits that MPLS has as compared to conventional router backbones. For some reason it doesn't include easy support for Virtual Private Networks (VPNs) as one of them. Either VPN support is one of the best kept secrets of the MPLS design team or the authors of the framework document have not considered VPN support as an issue worth mentioning. Intranets are one of the fast growing ways to deploy the TCP/IP protocol suite. In order to provide Intranet services to its (best paying) customers, ISPs must be able to address the problems of security and use of non-unique, private IP addresses [2]. It turns Heinanen VPN Support for MPLS [Page 1] INTERNET DRAFT December, 1997 out that MPLS, due to its Layer 2, virtual circuit nature, provides a simple and efficient solution to these important problems. In conventional router backbones, IP packets are forwarded based on destination IP addresses, which must be unique within the backbone. It would not help to have a separate forwarding table for each VPN, since there is no VPN identifier in the IP packet header that could be used to select the correct forwarding table. MPLS backbone routers, on the other hand, can benefit from a separate routing table per VPN, since the tables are not used to forward IP packets, but to control label distribution. In MPLS backbones it is enough that the destination addresses are unique at the ingress LSRs, which attach the labels to the IP packets. This is the key observation that allows efficient implementation of VPNs in the MPLS environment. The following sections discuss various ways to support VPNs over an MPLS backbone. It is assumed that customer VPN sites communicate with the MPLS backbone either using static routes and LDP or BGP and that within the MPLS backbone either OSPF and LDP or IBGP are used to distribute the reachability and label binding information. 2. Virtual Private Networks (VPNs) In this document the term VPN is used to denote a set of customer sites that connect to the MPLS backbone and form a Closed User Group (CUG). A site may advertise a set of "streams" [3] to the other members of a CUG. This allows the other CUG members (and only them) to send IP packets to those streams. The advertised streams need only be unique within the CUG(s) to which the site belongs to. A site can at the same time be a member of more than one CUG and also be connected to the public Internet. In the latter case, the site advertises (some of) its streams without associating them with any CUG. The public Internet can thus be considered to be a special CUG that does not have any CUG identification. CUGs are identified within MPLS backbones using unique CUG identifiers. A CUG identifier can be constructed, for example, by appending an integer that uniquely identifies a CUG with a single MPLS backbone to an IP address owned by that backbone. Between a customer site and an MPLS backbone, a CUG can be identified using a CUG index, which is an integer that uniquely distinguishes the CUG among all CUGs defined over that link. 3. Distribution of VPN bindings to and from the MPLS backbone When a customer site is connected to an MPLS backbone, the corresponding interface of the backbone LSR is configured with a list Heinanen VPN Support for MPLS [Page 2] INTERNET DRAFT December, 1997 of CUG identifiers that correspond to the CUGs that the customer site belongs to and with a mapping that describes the correspondence between these CUG identifiers and the CUG indexes used over the link between the customer LSR and the backbone LSR. IP routing between the customer site and the MPLS backbone is assumed to be based either on static routes or BGP. If static routes are used, then the Label Distribution Protocol (LDP) [3] needs to be turned on between the customer LSR and the backbone LSR for advertisement of the label bindings. In order to support VPNs, the LDP advertisement message need to be extended with the CUG index so that the two LSRs know which VPN an advertisement belongs to. Since the LDP advertisements also carry stream information, manual configuration of static routes in the two LSRs would not be necessarily needed. If BGP is used between the customer site and the MPLS backbone, then the label bindings are included in BGP advertisements by extending BGP with label and CUG index attributes. The LDP would thus not need to be turned on between the customer LSR and the backbone LSR. When the above configuration tasks have been completed, the customer LSR and backbone LSR use either LDP or BGP to inform each other what streams are available for each VPN and what labels have been bound to them. The backbone LSR checks that the customer site really is a member of the VPN before it accepts a label binding from the customer LSR. Correspondingly, before a backbone LSR distributes a label binding to a customer LSR, it checks to see that the customer site is really configured to belong to the same VPN as the advertised label binding. If the customer site belongs to only one VPN, it should not be bothered with the knowledge of the VPNs. In that case, the only VPN is configured as the default VPN to the corresponding interface of the backbone LSR and the two LSRs don't include a CUG index in their advertisements to each other. 4. Distribution of VPN bindings within the MPLS backbone When a backbone LSR learns a label binding from a customer site, it must somehow make the stream (and a corresponding label binding) known to the other CUG members. This chapter covers the cases where either OSPF and LDP or IBGP is used to distribute the label bindings. If the MPLS backbone is using OSPF and LDP to distribute the routing information and label bindings, the backbone LSR that learns a binding from a customer LSR injects the stream together with the Heinanen VPN Support for MPLS [Page 3] INTERNET DRAFT December, 1997 corresponding VPN identifier to its OSPF process. The VPN identifier allows the OSPF process to construct for each VPN its own routing table. This is needed, because the VPNs may use overlapping, private IP addresses. How the VPN identifier is associated with the stream in the OSPF advertisement is left for further study. One possibility is to use the Opaque LSA option [4]. In addition to injecting the stream to its OSPF process, the backbone LSR also advertises a corresponding label binding to its peers within the MPLS backbone. This advertisement is otherwise normal except that also the CUG identifier is included in the advertisement message. If the MPLS backbone is using IBGP to distribute the label bindings, then it suffices that a backbone LSR that learned a binding from a customer LSR injects the binding together with the CUG identifier to its IBGP process. This requires that BGP is extended with two attributes: one for the CUG identifier and one for the label. The details of these extensions are left for further study. 5. Security considerations As shown in this document, MPLS can be used to implement secure VPNs over a single MPLS backbone where the VPNs are fully isolated from each other in terms of both visibility and packet forwarding. The security is accomplished by manually associating a set of unique CUG identifiers to the customer interfaces of the backbone LSRs. The CUG identifiers limit the distribution of both reachability and label information. If a customer site has not received a label for a particular destination, it has no means to send packets to that destination provided that the LSRs assign the labels so that they are unique per interface, not per LSR. Manual configuration of the CUG identifiers is always subject to human error. However, configuration of a single CUG identifier once per interface is a much simpler process than configuration of a list of IP address prefixes, since the latter need to be modified each time a new customer site is added to or removed from the VPN. 6. Summary This document has argued that VPN support should be an essential part of the MPLS protocol. Easy and efficient support for VPNs is seen as the killer application for MPLS without which the whole MPLS effort is hard to justify. It is therefore suggested that the MPLS working group incorporates VPN support in its current work plan. Heinanen VPN Support for MPLS [Page 4] INTERNET DRAFT December, 1997 References [1] Callon, R., et al, "A Framework for Multiprotocol Label Switching". draft-ietf-mpls-framework-02.txt. [2] Rekhter, Y., et al, "Address Allocation for Private Internets". RFC 1918, Feb 1996. [3] Feldman, Nancy, et al, "LDP Specification". draft-feldman-ldp- spec-00.txt. [4] Coltun, Rob, "The OSPF Opaque LSA Option". draft-ietf-ospf- opaque-02.txt. Acknowledgements I would like to thank Rob Coltun for listening to my initial ideas and Yakov Rekhter for pointing out the importance of IBGP. Author Information Juha Heinanen Telia Finland, Inc. Myyrmaentie 2 01600 VANTAA Finland Phone +358 303 944 808 Email jh@telia.fi Heinanen VPN Support for MPLS [Page 5]