draft-ietf-l3vpn-end-system-04.txt   draft-ietf-l3vpn-end-system-05.txt 
Network Working Group P. Marques Network Working Group P. Marques
Internet-Draft Juniper Networks Internet-Draft Juniper Networks
Intended status: Standards Track L. Fang Intended status: Standards Track L. Fang
Expires: April 5, 2015 Microsoft Expires: April 10, 2016 Microsoft
N. Sheth N. Sheth
Juniper Networks Juniper Networks
M. Napierala M. Napierala
AT&T Labs AT&T Labs
N. Bitar N. Bitar
Verizon Verizon
October 2, 2014 October 8, 2015
BGP-signaled end-system IP/VPNs. BGP-signaled end-system IP/VPNs.
draft-ietf-l3vpn-end-system-04 draft-ietf-l3vpn-end-system-05
Abstract Abstract
This document describes a solution in which the control plane This document describes a solution in which the control plane
protocol specified in BGP/MPLS IP VPNs is used to provide a Virtual protocol specified in BGP/MPLS IP VPNs is used and extended via the
Network service to end-systems. These end-systems may be used to XMPP protocol to provide a Virtual Network service to end-systems.
provide network services or may directly host end-to-end These end-systems may be used to provide network services or may
applications. directly host end-to-end applications.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 5, 2015. This Internet-Draft will expire on April 10, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 21 skipping to change at page 2, line 21
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Applicability of BGP IP VPNs . . . . . . . . . . . . . . . . 4 3. Applicability of BGP IP VPNs . . . . . . . . . . . . . . . . 4
4. Virtual network end-points . . . . . . . . . . . . . . . . . 7 4. Virtual network end-points . . . . . . . . . . . . . . . . . 7
5. VPN Forwarder . . . . . . . . . . . . . . . . . . . . . . . . 9 5. VPN Forwarder . . . . . . . . . . . . . . . . . . . . . . . . 9
6. XMPP signaling protocol . . . . . . . . . . . . . . . . . . . 11 6. XMPP signaling protocol . . . . . . . . . . . . . . . . . . . 11
7. End-System Route Server behavior . . . . . . . . . . . . . . 17 7. End-System Route Server behavior . . . . . . . . . . . . . . 20
8. Operational Model . . . . . . . . . . . . . . . . . . . . . . 18 8. Operational Model . . . . . . . . . . . . . . . . . . . . . . 20
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
10. Security Considerations . . . . . . . . . . . . . . . . . . . 21 10. Security Considerations . . . . . . . . . . . . . . . . . . . 24
11. XML schema . . . . . . . . . . . . . . . . . . . . . . . . . 22 11. XML schema . . . . . . . . . . . . . . . . . . . . . . . . . 25
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 27
13.1. Normative References . . . . . . . . . . . . . . . . . . 24 13.1. Normative References . . . . . . . . . . . . . . . . . . 27
13.2. Informational References . . . . . . . . . . . . . . . . 24 13.2. Informational References . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29
1. Introduction 1. Introduction
This document describes the requirements for a network virtualization This document describes the requirements for a network virtualization
solution that provides an IP service to end-system virtual solution that provides an IP service to end-system virtual
interfaces. It then discusses how the BGP IP VPNs [RFC4364] control interfaces. It then discusses how the BGP IP VPNs [RFC4364] control
plane can be used to provide a solution that meets these plane can be used and extended via the XMPP protocol to provide a
requirements. Subsequent sections provide a detailed discussion of solution that meets these requirements. Subsequent sections provide
the control and forwarding plane components. a detailed discussion of the control and forwarding plane components.
In BGP IP VPNs, Customer Edge (CE) interfaces connect to a Provider In BGP IP VPNs, Customer Edge (CE) interfaces connect to a Provider
Edge (PE) device which provides both the control plane and VPN Edge (PE) device which provides both the control plane and VPN
encapsulation functions required to implement a Virtual Network encapsulation functions required to implement a Virtual Network
service. This document decouples the control plane and forwarding service. This document decouples the control plane and forwarding
functionality of the PE device in order to enable the forwarding functionality of the PE device in order to enable the forwarding
functionality to be implemented in multiple devices. For instance, functionality to be implemented in multiple devices. For instance,
the forwarding function can be implemented directly on the operating the forwarding function can be implemented directly on the operating
system of application servers or network appliances. system of application servers or network appliances.
1.1. Terminology 1.1. Terminology
This document makes use of the following terms: This document makes use of the following terms:
End-System: A compute node which primary function is to run End-System: A compute node whose primary function is to run
applications. It is assumed that end-systems support multiple applications. It is assumed that end-systems support multiple
application instances (e.g. virtual-machines), each with its application instances (e.g., virtual machines), each with its
independent network configuration. independent network configuration.
End-System Route Server: A software application that implements the End-System Route Server: A software application that implements the
control plane functionality of a BGP IP VPN PE device and a XMPP control plane functionality of a BGP IP VPN PE device and an XMPP
server that interacts with VPN Forwarders. server that interacts with VPN Forwarders.
Virtual Interface: An interface in an end-system that is used by a Virtual Interface: An interface in an end-system that is used by a
virtual machine or by applications. It performs the role of a CE virtual machine or by applications. It performs the role of a CE
interface in a BGP IP VPN network. interface in a BGP IP VPN network. This is similar to the concept
of Virtual Access Point (VAP) in RFC 7365 [RFC7365].
VPN Forwarder: The forwarding component of a BGP IP VPN PE device. VPN Forwarder: The forwarding component of a BGP IP VPN PE device.
This functionality may be co-located with the virtual interface or This functionality may be co-located with the virtual interface or
implemented by an external device. implemented by an external device.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
2. Requirements 2. Requirements
skipping to change at page 3, line 50 skipping to change at page 3, line 51
services or internal departments sharing an IT facility. Multi- services or internal departments sharing an IT facility. Multi-
tenancy requires isolation of traffic and routing information between tenancy requires isolation of traffic and routing information between
tenants. tenants.
Within a tenant, it is often required to create multiple distinct Within a tenant, it is often required to create multiple distinct
virtual networks, in order to be able to provide network-based access virtual networks, in order to be able to provide network-based access
control. In this service model, each virtual network behaves as a control. In this service model, each virtual network behaves as a
"Closed User Group" (CUG) of virtual interfaces that are allowed to "Closed User Group" (CUG) of virtual interfaces that are allowed to
exchange traffic freely, while traffic between virtual networks is exchange traffic freely, while traffic between virtual networks is
subject to access controls. This scenario can be found in both subject to access controls. This scenario can be found in both
enterprise campus networks, branch offices and data-centers. enterprise campus networks, branch offices and data centers.
It is often the case when network access control is used, that the It is often the case when network access control is used, that the
traffic patterns are such that there is significantly more traffic traffic patterns are such that there is significantly more traffic
crossing a CUG boundary than staying within such boundary. As an crossing a CUG boundary than staying within such boundary. As an
example, in campus networks it is common to segregate users into CUGs example, in campus networks it is common to segregate users into CUGs
based on some classification such as the user's department. Campus based on some classification such as the user's department. Campus
networks often see traffic patterns in which almost all the traffic networks often see traffic patterns in which almost all the traffic
flows northbound to the data-center or internet boundaries. Similar flows northbound to the data center or internet boundaries. Similar
traffic patterns can be found in multi-tier applications in IT data- traffic patterns can be found in multi-tier applications in IT data
centers. centers.
Virtual interfaces are often configured to expect the concept of IP Virtual interfaces are often configured to expect the concept of IP
subnet to match its closed user group. A network virtualization subnet to match its closed user group. A network virtualization
solution should be able to provide this concept of IP subnet solution should be able to provide this concept of IP subnet
regardless of whether the underlying implementation uses a multi- regardless of whether the underlying implementation uses a multi-
access network or not. access network or not.
Virtual interfaces should be able to directly access multiple closed Virtual interfaces should be able to directly access multiple closed
user groups without needing to traverse a gateway. Network access user groups without needing to traverse a gateway. Network access
policy should allow this access whether the source and destination policy should allow this access whether the source and destination
CUGs for a particular traffic flow belong to the same tenant or CUGs for a particular traffic flow belong to the same tenant or
different tenants. It is often the case that infrastructure services different tenants. It is often the case that infrastructure services
are provided to multiple tenants. One such example is voice-over-IP are provided to multiple tenants. One such example is voice-over-IP
gateway services for branch offices. gateway services for branch offices.
Independently, but often associated with the previous two functions, Independently, but often associated with the previous two functions,
IP mobility is another network function that can be implemented using IP mobility is another network function that can be implemented using
network virtualization. By abstracting the externally visible network virtualization. By abstracting the externally visible
network address from the underlying infrastructure address, mobility network address from the underlying infrastructure address, mobility
can be implemented without having to recur to home agents or large L2 can be implemented without having to rely upon home agents or large
broadcast domains. L2 broadcast domains.
IP Mobility requires the ability to "move" a virtual interface IP Mobility requires the ability to "move" a virtual interface
without disrupting its TCP (or UDP) transport sessions. This without disrupting its TCP (or UDP) transport sessions. This
requires a mechanism that can efficiently communicate the mappings requires a mechanism that can efficiently communicate the mappings
between logical and physical addressing. between logical and physical addressing.
IP Mobility can be a result of devices physically moving (e.g., a IP Mobility can be a result of devices physically moving (e.g., a
WiFi enabled laptop) or workload being diverted between physical WiFi enabled laptop) or workload being diverted between physical
systems such as network appliances or application servers. systems such as network appliances or application servers.
skipping to change at page 5, line 27 skipping to change at page 5, line 27
actually implemented in different processors attached to an internal actually implemented in different processors attached to an internal
network. network.
This document assumes a similar separation of functionality in which This document assumes a similar separation of functionality in which
software appliances, the End-System Route Servers, implement the software appliances, the End-System Route Servers, implement the
control plane functionality of a PE device and a VPN Forwarder control plane functionality of a PE device and a VPN Forwarder
implements the forwarding function usually found in a PE device implements the forwarding function usually found in a PE device
"line-card". The VPN Forwarder functionality may be co-located with "line-card". The VPN Forwarder functionality may be co-located with
the end-system (e.g., implemented in the hypervisor switch or host OS the end-system (e.g., implemented in the hypervisor switch or host OS
network drivers) or it may be external. For instance, residing in a network drivers) or it may be external. For instance, residing in a
data-center switch or specialized appliance. data center switch or specialized appliance.
Operationally, BGP IP VPN technology has several important Operationally, BGP IP VPN technology has several important
characteristics: characteristics:
It has a high-level of aggregation between customer interfaces and It has a high-level of aggregation between customer interfaces and
managed entities (Provider Edge devices). managed entities (Provider Edge devices).
It defines VPNs as policies, allowing an interface to directly It defines VPNs as policies, allowing an interface to directly
exchange traffic with multiple VPNs and allowing for the topology exchange traffic with multiple VPNs and allowing for the topology
of the virtual network to be modified by modifying the policy of the virtual network to be modified by modifying the policy
skipping to change at page 6, line 10 skipping to change at page 6, line 10
characteristics required for large scale deployments. BGP's characteristics required for large scale deployments. BGP's
hierarchical route distribution capabilities allow a deployment to hierarchical route distribution capabilities allow a deployment to
divide the workload by increasing the number of End-System Route divide the workload by increasing the number of End-System Route
Servers. Servers.
As an example consider a topology in which 100 End-System Route As an example consider a topology in which 100 End-System Route
Servers are deployed in a network each serving a subset of the VPN Servers are deployed in a network each serving a subset of the VPN
forwarding elements. The Route Servers inter-connect to two top- forwarding elements. The Route Servers inter-connect to two top-
level BGP Route Reflectors [RFC4456]. level BGP Route Reflectors [RFC4456].
If an event (i.e. a VPN route change) needs to be propagated from a If an event (i.e., a VPN route change) needs to be propagated from a
specific end-system to 10,000 clients randomly distributed across the specific end-system to 10,000 clients randomly distributed across the
network, each of the End-System Route Servers must generate 100 network, each of the End-System Route Servers must generate 100
updates to its respective downstream clients. updates to its respective downstream clients.
By modifying this topology such that another 100 End-System Route By modifying this topology such that another 100 End-System Route
Servers are added, then each Route Server is now responsible to Servers are added, each Route Server is now responsible to generate
generate 50 client updates. This example illustrates the linear 50 client updates. This example illustrates the linear scaling
scaling properties of BGP: doubling the number of Route Servers (i.e. properties of BGP: doubling the number of Route Servers (i.e., the
the processing capacity) reduces in half the number of updates processing capacity) reduces in half the number of updates generated
generated by each (i.e. load at each processing node). by each (i.e., load at each processing node).
The same horizontal scaling techniques can be applied to the Route The same horizontal scaling techniques can be applied to the Route
Reflector layer in the example above by subsetting the VPN Route Reflector layer in the example above by subsetting the VPN Route
space according to some pre-defined criteria (for instance VPN route space according to some pre-defined criteria (for instance VPN route
target) and using a pair of Route Reflectors per subset. target) and using a pair of Route Reflectors per subset.
In the previous example we assumed a dense membership in which all In the previous example we assumed a dense membership in which all
Route Servers have local clients that are interested in a particular Route Servers have local clients that are interested in a particular
event. BGP also optimizes the route distribution for sparse events. event. BGP also optimizes the route distribution for sparse events.
The Route Target Constraint [RFC4684] extension, builds an optimal The Route Target Constraint [RFC4684] extension, builds an optimal
skipping to change at page 7, line 13 skipping to change at page 7, line 13
propagation of inter-VPN traffic policies [RFC5575]. propagation of inter-VPN traffic policies [RFC5575].
Note that the signaling protocol itself is rather agnostic of the Note that the signaling protocol itself is rather agnostic of the
encapsulation used on the wire as long as this encapsulation has the encapsulation used on the wire as long as this encapsulation has the
ability to carry a 20 bit label. ability to carry a 20 bit label.
Several network environments use a network infrastructure that is Several network environments use a network infrastructure that is
only capable of providing an IP unicast service. In order to support only capable of providing an IP unicast service. In order to support
them, implementations of this document should support the MPLS in GRE them, implementations of this document should support the MPLS in GRE
[RFC4023] encapsulation. Other encapsulations are possible, [RFC4023] encapsulation. Other encapsulations are possible,
including UDP based encapsulations [I-D.ietf-mpls-in-udp]. including UDP based encapsulations [RFC7510].
4. Virtual network end-points 4. Virtual network end-points
This document assumes that end-systems support one or more virtual This document assumes that end-systems support one or more virtual
network interfaces in addition to a physical interface that is network interfaces in addition to a physical interface that is
associated with the underlying network infrastructure. Virtual associated with the underlying network infrastructure. Virtual
network interfaces can be associated with a restricted list of network interfaces can be associated with a restricted list of
applications via OS-dependent mechanisms, a Virtual Machine (VM), or applications via OS-dependent mechanisms, a Virtual Machine (VM), or
they can be used to provide network connectivity to all user they can be used to provide network connectivity to all user
applications in the same way that a "VPN tunnel" interface is used to applications in the same way that a "VPN tunnel" interface is used to
provide access between an end-system (e.g., a laptop) and a remote provide access between an end-system (e.g., a laptop) and a remote
corporate network. corporate network.
From an IP address assignment point of view, a virtual network From an IP address assignment point of view, a virtual network
interface is addressed out of the virtual IP topology and associated interface is addressed out of the virtual IP topology and associated
with a "closed user group" or VPN, while the physical interface of with a "closed user group" or VPN, while the physical interface of
the machine is addressed in the network infrastructure topology. the machine is addressed in the network infrastructure topology.
A virtual network interface is connected to a VPN Forwarder. This A virtual network interface is connected to a VPN Forwarder. This
VPN Forwarder MAY be co-located in the end-system or external. VPN Forwarder MAY be co-located in the end-system or external. In
cases where the VPN Forwarder is external to the end-system, they can
either be directly connected or interconnected with a dedicated
802.1Q VLAN on a per virtual interface basis.
Both static and dynamic IP address allocation can be supported. The Both static and dynamic IP address allocation can be supported. The
later assumes that the VPN Forwarder implements a DHCP relay or DHCP latter assumes that the VPN Forwarder implements a DHCP relay or DHCP
proxy functionality. proxy functionality.
Traffic that ingresses or egresses through a virtual network Traffic that ingresses or egresses through a virtual network
interface is routed at the VPN Forwarder which acts as the first-hop interface is routed at the VPN Forwarder which acts as the first-hop
router (in the virtual topology). The IP configuration on the client router (in the virtual topology). The IP configuration on the client
side of this virtual network interface (e.g., in the guest OS) can side of this virtual network interface (e.g., in the guest OS) can
follow one of two models: follow one of two models:
point-to-point interface model. point-to-point interface model.
multipoint interface model. multipoint interface model.
In a point-to-point interface model, the VPN client routing table In a point-to-point interface model, the VPN client routing table
(e.g., on the guest OS) contains the following routing entries: a (e.g., on the guest OS) contains the following routing entries: a
host route to the local IP address, a host route to the first-hop host route to the local IP address, a host route to the first-hop
router via the virtual interface and a default route to the first-hop router via the virtual interface and a default route to the first-hop
router. This is the model typically used in "VPN tunnel" router. This is the model typically used in "VPN tunnel"
configurations or other access technologies such as cable deployments configurations or other access technologies such as cable deployments
or DSL. When this model is used, the first-hop router IP address is or DSL. When this model is used, the first-hop router IP address is
a link-local address that is the same on all first-hop routers across either an address from the tenant's IP address space or a link-local
a specific deployment. This first-hop IP address should not change address. This address SHOULD be the same on all first-hop routers
when a virtual interface moves between different machines. across a specific deployment so that it does not change when a
virtual interface moves between end systems.
In a multi-point interface model, the VPN client routing table (e.g., In a multi-point interface model, the VPN client routing table (e.g.,
on the guest OS) contains the following routing entries: a host route on the guest OS) contains the following routing entries: a host route
to the local IP address, a subnet route to the local interface and to the local IP address, a subnet route to the local interface and
optionally a default route to a specific router address within that optionally a default route to a specific router address within that
subnet. In this model, the VPN client IP stack will issue address subnet. In this model, the VPN client IP stack will issue address
resolution requests for any IP addresses it considers to be directly resolution requests for any IP addresses it considers to be directly
attached to the subnet. The VPN Forwarder shall answer all address attached to the subnet. The VPN Forwarder shall answer all address
resolution requests via Proxy ARP [RFC1027].The same technique is resolution requests via Proxy ARP [RFC1027].The same technique is
applicable when Neighbor Discovery is used to resolve IPv6 addresses. applicable when Neighbor Discovery is used to resolve IPv6 addresses.
Address resolution request should be answered using a virtual MAC Address resolution request should be answered using a virtual MAC
address which SHOULD be the same across all VPN Forwarders in a address which SHOULD be the same across all VPN Forwarders in a
specific deployment. This virtual MAC address SHALL default to the specific deployment. This virtual MAC address SHALL default to the
VRRP [RFC5798] virtual router MAC address for Virtual Router VRRP [RFC5798] virtual router MAC address for Virtual Router
Identifier (VRID) 1. Identifier (VRID) 1.
When the virtual topology first-hop router resides on the same When the virtual topology first-hop router resides on the same
physical machine, the host OS is responsible to map the virtual physical machine, the host OS is responsible to map the virtual
interface with a VPN specific routing table (without taking L2 interface with a VPN specific routing table (without taking L2
addresses into consideration). In this case the mac-addresses known addresses into consideration). In this case the MAC addresses known
to the guest OS are not used on the wire. to the guest OS are not used on the wire.
When the virtual topology first-hop router resides in an external When the virtual topology first-hop router resides in an external
system (e.g., the first hop-switch) the virtual interface shall be system (e.g., the first hop-switch) the virtual interface shall be
identified by the combination of the mac-address assigned to physical identified by the physical interface of the end-system and a 802.1Q
interface of the end-system and a 802.1Q VLAN tag. The first-hop VLAN tag. The first-hop switch should use a virtual router MAC
switch should use a virtual router MAC address to answer any address address to answer any address resolution queries.
resolution queries.
Whenever an external VPN Forwarder is used and resiliency is desired, Whenever an external VPN Forwarder is used and resiliency is desired,
the external VPN Forwarder should be redundant. It is desirable to the external VPN Forwarder should be redundant. It is desirable to
use VRRP as a mechanism to control the flow of traffic between the use VRRP as a mechanism to control the flow of traffic between the
end-system and the external VPN Forwarder. VRRP already defines the end-system and the external VPN Forwarder. VRRP already defines the
necessary procedures to elect a single forwarder for a LAN. necessary procedures to elect a single forwarder for a LAN.
This specification uses the VRRP virtual router MAC address as the This specification uses the VRRP virtual router MAC address as the
default L2 address for the VPN Forwarder as a client virtual default L2 address for the VPN Forwarder as a client virtual
interface may move between locations where redundancy may not be interface may move between locations where redundancy may not be
skipping to change at page 9, line 18 skipping to change at page 9, line 23
VRRP router election is only relevant in selecting the VPN Forwarder VRRP router election is only relevant in selecting the VPN Forwarder
associated with a specific machine, when external forwarders are in associated with a specific machine, when external forwarders are in
use. use.
5. VPN Forwarder 5. VPN Forwarder
In this solution, the Host OS/Hypervisor in the end-system must In this solution, the Host OS/Hypervisor in the end-system must
participate in the virtual network service. Given an end-system with participate in the virtual network service. Given an end-system with
multiple virtual interfaces, these virtual interfaces must be mapped multiple virtual interfaces, these virtual interfaces must be mapped
onto the network by the guest OS such that applications on one onto the network by the end system OS such that applications on one
virtual interface cannot send traffic to networks they are not virtual interface cannot send traffic to networks they are not
authorized to communicate with or using source addresses not assigned authorized to communicate with or using source addresses not assigned
to the virtual interface. to the virtual interface.
When VPN forwarder functionality is implemented by the Host OS/ When VPN forwarder functionality is implemented by the Host OS/
Hypervisor, intermediate systems in the network do not require any Hypervisor, intermediate systems in the network do not require any
knowledge of the virtual network topology. This can simplify the knowledge of the virtual network topology. This can simplify the
design and operation of the physical network. design and operation of the physical network.
When it is not possible or desirable to add the VPN forwarding When it is not possible or desirable to add the VPN forwarding
skipping to change at page 10, line 4 skipping to change at page 10, line 7
tables; tables;
VRF route entries map prefixes in the virtual network topology VRF route entries map prefixes in the virtual network topology
to a next-hop containing a infrastructure IP address and a to a next-hop containing a infrastructure IP address and a
20-bit label allocated by the destination Forwarder. The VRF 20-bit label allocated by the destination Forwarder. The VRF
table lookup follows the standard IP lookup (best-match) table lookup follows the standard IP lookup (best-match)
algorithm. algorithm.
Associate an end-system virtual interface with a specific VRF Associate an end-system virtual interface with a specific VRF
table; table;
When the the Forwarder is co-located with the end-system, this
When the Forwarder is co-located with the end-system, this
association is implemented by an internal mechanism. When the association is implemented by an internal mechanism. When the
Forwarder is external the association is performed using the Forwarder is external the association is performed using the
mac-address of the end-system and a IEEE 802.1Q tag that MAC address of the end-system and an IEEE 802.1Q tag that
identifies the virtual interface within the end-system. identifies the virtual interface within the end-system.
Encapsulate outgoing traffic (end-system to network) according to Encapsulate outgoing traffic (end-system to network) according to
the result of the VRF lookup; the result of the VRF lookup;
Associate incoming packets (network to end-system) to a VRF Associate incoming packets (network to end-system) to a VRF
according to the 20-bit label contained in the packet; according to the 20-bit label contained in the packet;
The VPN Forwarder MAY support the ability to associate multiple The VPN Forwarder MAY support the ability to associate multiple
virtual interfaces with the same VRF. When that is the case, locally virtual interfaces with the same VRF. When that is the case, locally
originated routes, that is IP routes to the local virtual interfaces originated routes, that is IP routes to the local virtual interfaces
SHALL NOT be used to forward outbound traffic (from the virtual SHALL NOT be used to forward outbound traffic (from the virtual
interfaces to the outside) unless a route advertisement has been interfaces to the outside) unless a route advertisement has been
received that matches that specific IP prefix and next-hop received that matches that specific IP prefix and next-hop
information. information. This is intended to ensure that the forwarding behavior
is the same whether the VRF is shared or between multiple interfaces
of the same virtual-network or not.
As an example, if a given VRF contains two virtual interfaces, As an example, if a given VRF contains two virtual interfaces,
"veth0" and "veth1", with the addresses 10.0.1.1/32 and 10.0.1.2/32 "veth0" and "veth1", with the addresses 203.0.113.1/32 and
respectively, the initial forwarding state must be initialized such 203.0.113.2/32 respectively, the initial forwarding state must be
that traffic from either of these interfaces does not match the initialized such that traffic from either of these interfaces does
other's routing table entry. It may for instance match a default not match the other's routing table entry. It may for instance match
route advertised by a remote system. Traffic received from other VPN a default route advertised by a remote system. Traffic received from
Forwarders, however, must be delivered to the correct local other VPN Forwarders, however, must be delivered to the correct local
interface. If at a subsequent stage a route is received from the interface. If at a subsequent stage a route is received from the
Route Server such that 10.0.1.2/32 has a next-hop with the IP address Route Server such that 203.0.113.2/32 has a next-hop with the IP
of the local host and the correct label, the system may subsequently address of the local host and the correct label, the system may
install a local routing table entry that delivers traffic directly to subsequently install a local routing table entry that delivers
the "veth1" interface. This means that forwarding table entries traffic directly to the "veth1" interface. This means that
apply to downstream only by default. This capability can be used to forwarding table entries apply to downstream only by default. This
implement a hub-and-spoke topology, if required. capability can be used to implement a hub-and-spoke topology, if
required.
The 20-bit label which is associated with a virtual-interface is of The 20-bit label which is associated with a virtual interface is of
local significance only and SHOULD be allocated by the VPN Forwarder. local significance only and SHOULD be allocated by the VPN Forwarder.
When an external VPN Forwarder is used the end-system MUST associate When an external VPN Forwarder is used the end-system MUST associate
each virtual interface with a VLAN [IEEE.802-1Q] that is unique on each virtual interface with a VLAN [IEEE.802-1Q] that is unique on
the end-system. The switching infrastructure MUST be configured such the end-system. The switching infrastructure MUST be configured such
that multi-destination frames sourced from an end-system are only that multi-destination frames sourced from an end-system are only
delivered to VPN Forwarders used by this end-system and not to other delivered to VPN Forwarders used by this end-system and not to other
end-systems. end-systems.
6. XMPP signaling protocol 6. XMPP signaling protocol
skipping to change at page 11, line 31 skipping to change at page 11, line 33
VPN forwarders (both co-located and external) establish XMPP sessions VPN forwarders (both co-located and external) establish XMPP sessions
with End-System Route Servers, acting as XMPP clients. When an with End-System Route Servers, acting as XMPP clients. When an
external VPN Forwarder is used, end-systems establish XMPP sessions external VPN Forwarder is used, end-systems establish XMPP sessions
with VPN Forwarders. External VPN Forwarders act as XMPP servers for with VPN Forwarders. External VPN Forwarders act as XMPP servers for
end-systems which are associated with them. end-systems which are associated with them.
A VPN Forwarder MAY connect to multiple End-System Route Servers for A VPN Forwarder MAY connect to multiple End-System Route Servers for
reliability. In this case it SHOULD publish its information to each reliability. In this case it SHOULD publish its information to each
of the Route Servers. It MAY choose to subscribe to VPN routing of the Route Servers. It MAY choose to subscribe to VPN routing
information once only from one of the available gateways. information once only from one of the available gateways. In this
case the Forwarder is responsible for switching subscriptions over to
alternate Route Servers in the case of Route Server failures.
Alternatively, it MAY choose to subscribe to VPN routing information
from each End-System Route Server. In this latter case the Forwarder
is responsible for selecting which Route Server is authoritative for
a specific forwarding entry. The Route Servers are expected to
produce the same forwarding information with no delta other than the
one introduced by processing and communication delays. The VPN
Forwarder is expected to select the entry that it deems as more
recent for positive updates. It SHOULD NOT consider a forwarding
entry to be withdrawn unless it is withdrawn by both Route Servers.
The information advertised by an XMPP client SHOULD be deleted after The Route Server MUST monitor the XMPP connection status of each VPN
a configurable timeout, when the session closes. This timeout should Forwarder that is connected to it. The information advertised by an
default to 60 seconds. XMPP client SHOULD be deleted after a configurable timeout, after
XMPP session closes. This timeout should default to 60 seconds.
The End-System Route Server MAY monitor the status of each VPN
Forwarder, for instance, through the use of the BFD [RFC5880]
protocol. The Route Server MAY choose to immediately reduce the
preference of routing information received from an XMPP client for
which a failure has been detected either through an session close
event or an external failure detection mechanism such as BFD. .
+---------+ +--------+ +---------+ +--------+
| RS | ----------- | BGP | | RS | ----------- | BGP |
+---------+ +--------+ +---------+ +--------+
// \ / // \ /
XMPP \ / XMPP \ /
// \ / // \ /
+------------+ \ / +------------+ \ /
| end-system | \ / | end-system | \ /
+------------+ \/ +------------+ \/
\\ /\ \\ /\
XMPP / \ XMPP / \
\\ / \ \\ / \
+---------+ / \ +--------+ +---------+ / \ +--------+
| RS | ----------- | BGP | | RS | ----------- | BGP |
+---------+ +--------+ +---------+ +--------+
Figure 1
The figure above represents a typical configuration in which an end- The figure above represents a typical configuration in which an end-
system with a co-located VPN Forwarder is directly connected to two system with a co-located VPN Forwarder is directly connected to two
End-System Routes Servers, which are in turn connected to multiple End-System Route Servers, which are in turn connected to multiple BGP
BGP speakers which may be other L3VPN PEs or BGP route reflectors. speakers which may be other L3VPN PEs or BGP route reflectors.
In deployment the number of End-System Route Servers used will depend In deployment the number of End-System Route Servers used will depend
on the desired Route Server to VPN Forwarder ratio which affects the on the desired Route Server to VPN Forwarder ratio which affects the
convergence time of event propagation. convergence time of event propagation.
The XMPP "jid" used by the client shall be a string that uniquely The XMPP JID used by the client SHALL be a RFC 7622 [RFC7622]
identifies it in its administrative domain. This specification compliant address that uniquely identifies it in its administrative
recommends the use of the hostname (when unique) or an IP address in domain. The VPN Forwarder SHOULD use as JID its hostname, when
its string representation. available, or an unique IP address within the infrastructure network
win its string representation.
Each VPN shall be identified by a 128 octet ASCII character string. The XMPP JID used by an End-System Route Server SHOULD be the
constant string 'route-server@ietf.org'.
When external Forwarders are used, its control software operates as a Each VPN shall be identified by an ASCII character string that SHOULD
XMPP server processing requests from end-systems and as a client of NOT exceed 128 octets and MUST be unique within a specific
one or more End-System Route Servers. The control software relays to administrative domain. The VPN identifier is an attribute of each
the End-System Route Server(s) VPN membership messages it receives virtual interface. It is assumed that a configuration management
system exists such that it provisions the Route Servers with VPN
identifier values and the VPN Forwarders with the mapping of virtual
interface to VPN identifier. Such configuration management system is
outside the scope of this document.
Each VPN identifier corresponds to a Pub-Sub node in the Route Server
XMPP servers. This Pub-Sub nodes SHOULD be configured such that Pub-
Sub items are persistent and that event notifications include the
item payload. Implementations MAY choose to perform this operation
explicitly or implicitly by mapping XMPP subscription requests to an
event observer mechanism that tracks the VRF table corresponding to
the VPN in question.
When external Forwarders are used, its control software operates as
an XMPP server processing requests from end-systems and as a client
of one or more End-System Route Servers. The control software relays
to the End-System Route Server(s) VPN membership messages it receives
from the end-system. VPN routing information received from the Route from the end-system. VPN routing information received from the Route
Server(s) SHOULD NOT be propagated to the end-system. Server(s) SHOULD NOT be propagated to the end-system.
When a virtual interface is created on a end-system, the host When a virtual interface is created on a end-system, the host
operating-system software shall generate an XMPP Subscribe message to operating-system software shall generate an XMPP Subscribe message to
its server (the End-System Route Server or external VPN Forwarder). its server (the End-System Route Server or external VPN Forwarder).
Each Subscribe message SHALL be addressed to the JID of the End-
System Route Server (route-server@ietf.org), using the VPN Identifier
as the NodeID. If subsequent Virtual Interfaces are created with the
same VPN Identifier, and the previous Pub-Sub subscription is still
in effect, then extraneous XMPP Pub-Sub Subscribe messages SHOULD NOT
be sent to the End-System Route Server. If at any point all Virtual
Interfaces associated with a given VPN Identifier are removed or
deactivated from the End-System, then the host operating-system
SHOULD generate an XMPP Pub-Sub Unsubscribe message to its server for
the Pub-Sub node associated with the VPN Identifier.
Subscription request from co-located VPN Forwarder to Route Server: Example subscription request from co-located VPN Forwarder to Route
Server:
<iq type='set' <iq type='set'
from='hostname.domain.org' from='forwarder.domain.org'
to='network-control@domain.org' to='route-server@ietf.org'
id='sub1'> id='sub1'>
<pubsub xmlns='http://jabber.org/protocol/pubsub'> <pubsub xmlns='http://jabber.org/protocol/pubsub'>
<subscribe node='vpn-customer-name'/> <subscribe node='vpn-customer-name' jid='route-server@ietf.org'/>
<options> <options>
<instance-id>1</instance-id> <instance-id>1</instance-id>
</options> </options>
</pubsub> </pubsub>
</iq> </iq>
The request above, instructs the End-System Route Server to start The request above, instructs the End-System Route Server to start
populating the client's VRF table with any routing information that populating the client's VRF table with any routing information that
is available for this VPN. The XMPP node 'vpn-customer-name' is is available for this VPN. The XMPP node 'vpn-customer-name' is
assumed to be implicitly created by the End-System Route Server. assumed to be implicitly created by the End-System Route Server.
Creation of a virtual interface may precede any IP address becoming Creation of a virtual interface may precede any IP address becoming
active on the interface, as it is the case with VM instantiation. active on the interface, as it is the case with VM instantiation.
The optional "instance-id" element allows the VPN Forwarder to The optional "instance-id" element allows the VPN Forwarder to
specify a unique 16 bit index that can be used by the Route Server to specify a unique 16 bit index that can be used by the Route Server to
automatically assign a Route Distinguisher (RD) to any route automatically assign a Route Distinguisher (RD) to any route
skipping to change at page 13, line 11 skipping to change at page 14, line 17
assumed to be implicitly created by the End-System Route Server. assumed to be implicitly created by the End-System Route Server.
Creation of a virtual interface may precede any IP address becoming Creation of a virtual interface may precede any IP address becoming
active on the interface, as it is the case with VM instantiation. active on the interface, as it is the case with VM instantiation.
The optional "instance-id" element allows the VPN Forwarder to The optional "instance-id" element allows the VPN Forwarder to
specify a unique 16 bit index that can be used by the Route Server to specify a unique 16 bit index that can be used by the Route Server to
automatically assign a Route Distinguisher (RD) to any route automatically assign a Route Distinguisher (RD) to any route
subsequently advertised by the VPN Forwarder. In a scenario where subsequently advertised by the VPN Forwarder. In a scenario where
the VPN Forwarder is advertising reachability information to multiple the VPN Forwarder is advertising reachability information to multiple
Route Servers it is desirable for reachability information to have an Route Servers it is desirable for reachability information to have an
RD composed of the VPN Forwarder identifier (e.g. IPv4 address) and RD composed of the VPN Forwarder identifier (e.g., IPv4 address) and
the "instance-id". the "instance-id".
Subscription request from end-system to external VPN Forwarder: Example subscription request from end-system to external VPN
Forwarder:
<iq type='set' <iq type='set'
from='hostname.domain.org' from='end-system.domain.org'
to='network-control@domain.org' to='route-server@ietf.org'
id='sub1'> id='sub1'>
<pubsub xmlns='http://jabber.org/protocol/pubsub'> <pubsub xmlns='http://jabber.org/protocol/pubsub'>
<subscribe node='vpn-customer-name'/> <subscribe node='vpn-customer-name' jid='route-server@ietf.org'/>
<options> <options>
<x xmlns='jabber:x:data' type='submit'> <x xmlns='jabber:x:data' type='submit'>
<field var='vpn#vlan_id'><value>vlan-id</value></field> <field var='vpn#vlan_id'><value>100</value></field>
</x> </x>
</options> </options>
</pubsub> </pubsub>
</iq> </iq>
When an external VPN Forwarder is used, the end-system should include When an external VPN Forwarder is used, the end-system SHOULD include
the VLAN identifier it assigned to the virtual interface as a the VLAN identifier it assigned to the virtual interface as a
subscription option. subscription option. This option is represented in the XMPP Pub-Sub
Subscribe message as a data form [xep-0004] field with the name
"vpn#vlan_id". The example above uses the 802.1Q tag value of 100.
When a IP address is added to a virtual interface, the end-system When a Route Server receives a subscription request for a specific
will generate an XMPP Publish request. VPN identifier it SHALL treat this request as an implicit request for
item retrieval for all items in the Pub-Sub node that corresponds to
the VPN.
Example unsubscribe request from co-located VPN Forwarder to Route
Server:
<iq type='set'
from='forwarder.domain.org'
to='route-server@ietf.org'
id='unsub1'>
<pubsub xmlns='http://jabber.org/protocol/pubsub'>
<unsubscribe
node='vpn-identifier'
jid='route-server@ietf.org' />
</pubsub>
</iq>
When a IP address is added to a virtual interface and the interface
is activated, the end-system SHALL generate an XMPP Pub-Sub Publish
request. This request publishes an item containing a single entry
element based on the XML Schema Definition in Section 11. The ItemID
of this item MUST be generated by the VPN Forwarder such that the
value is unique within a Pub-Sub node. The ItemID MAY be formed by
combining the VPN Forwarder's IP address, the instance-id value, and
the entry address element. This format corresponds to the string
representation of a BGP L3VPN NLRI in which the Route Distinguisher
is given by the VPN Forwarder IP address and instance-id and is
easily identifiable by network operators. However, the format and/or
structure of the ItemID is not meaningful in the context of this
document as long as uniqueness is guarantied.
Publish request from VPN Forwarder to End-System Route Server: Publish request from VPN Forwarder to End-System Route Server:
<iq type='set' <iq type='set'
from='hostname.domain.org' <!-- end-system jid --> from='forwarder.domain.org'
to='network-control@domain.org' to='route-server@ietf.org'
id='request1'> id='request1'>
<pubsub xmlns='http://jabber.org/protocol/pubsub'> <pubsub xmlns='http://jabber.org/protocol/pubsub'>
<publish node='vpn-customer-name'> <publish node='vpn-customer-name'>
<item id='x.x.x.x:y:vpn-ip-address/32'> <item id='192.0.2.1:1:203.0.113.42/32'>
<entry xmlns='http://ietf.org/protocol/bgpvpn'> <entry xmlns='urn:ietf:params:xml:ns:bgp:l3vpn:unicast'>
<nlri> <nlri>
<af>1</af> <af>1</af>
<address>'vpn-ip-address/32'</address> <address>203.0.113.42</address>
</nlri> </nlri>
<next-hops> <next-hops>
<next-hop> <next-hop>
<af>1</af> <af>1</af>
<address>'infrastructure-ip-address'</address> <address>192.0.2.1</address>
<label>10000</label> <!-- 20 bit number --> <label>10000</label>
<tunnel-encapsulation-list> <tunnel-encapsulation-list>
<tunnel-encapsulation>gre</tunnel-encapsulation> <tunnel-encapsulation>gre</tunnel-encapsulation>
<tunnel-encapsulation>udp</tunnel-encapsulation> <tunnel-encapsulation>udp</tunnel-encapsulation>
</tunnel-encapsulation-list> </tunnel-encapsulation-list>
</next-hop> </next-hop>
</next-hops> </next-hops>
<sequence-number>1</sequence-number> <sequence-number>1</sequence-number>
</entry> </entry>
</item> </item>
</publish> </publish>
</pubsub> </pubsub>
</iq> </iq>
In this example, the VPN Forwarder JID is "forwarder.domain.org".
The VPN Identifier "vpn-identifier" is used as the value of the node
attribute of the subscribe element. The IP address of the Virtual
Interface is 203.0.113.42/32. The IP address of the VPN Forwarder is
192.0.2.1 and it supports receiving MPLS packets via both GRE and UDP
tunneling. Label 10000 has been assigned to this particular Virtual
Interface.
The End-System Route Server will convert the information received in The End-System Route Server will convert the information received in
a 'publish' request into the corresponding BGP route information such a 'publish' request into the corresponding BGP route information such
that:. that:.
It associates the specific request with a local VRF which it It associates the specific request with a local VRF which it
resolves by using a combination of the originator jid and the resolves by using the Pub-Sub 'node' attribute.
collection 'node' attribute.
It creates a BGP VPN route with a 'Route Distinguisher' (RD) which It creates a BGP VPN route with a 'Route Distinguisher' (RD) which
contains a unique 32bit value per end-system plus a 16bit contains a unique 32bit value per end-system plus a 16bit
instance-id, the specified IP prefix and 'label' received from the instance-id, the specified IP prefix and 'label' received from the
VPN Forwarder as the Network Layer Reachability Information VPN Forwarder as the Network Layer Reachability Information
(NLRI). The instance-id is either the value specified by the XMPP (NLRI). The instance-id is either the value specified by the XMPP
client in the subscribe message for the specific pubsub node or a client in the subscribe message for the specific pubsub node or a
locally generated value when that parameter is omitted. locally generated value when that parameter is omitted.
The BGP next-hop address is set to the address of the VPN The BGP next-hop address is set to the address of the VPN
Forwarder. Forwarder.
A BGP Tunnel Encapsulation Attribute [RFC5512] is generated for A BGP Tunnel Encapsulation Attribute [RFC5512] is generated for
each 'tunnel-encapsulation' element specified in the XMPP message. each 'tunnel-encapsulation' element specified in the XMPP message.
It optionally associates the route with a MAC Mobility extended It optionally associates the route with a MAC Mobility extended
community [I-D.ietf-l2vpn-evpn] containing a sequence number of community [RFC7432] containing a sequence number of the route
the route advertisement. advertisement.
Conversely, when an interface operational status is determined to be Conversely, when an interface operational status is determined to be
down or an IP address is unconfigured the VPN forwarder generates an down or an IP address is unconfigured the VPN forwarder generates an
XMPP retract message to withdraw the route advertisement. XMPP retract message to withdraw the route advertisement.
Retract request from VPN Forwarder to End-System Route Server: Retract request from VPN Forwarder to End-System Route Server:
<iq type='set' <iq type='set'
from='hostname.domain.org' from='forwarder.domain.org'
to='network-control@domain.org' to='route-server@ietf.org'
id='retract1'> id='retract1'>
<pubsub xmlns='http://jabber.org/protocol/pubsub'> <pubsub xmlns='http://jabber.org/protocol/pubsub'>
<retract node='vpn-customer-name'> <retract node='vpn-customer-name'>
<item id='x.x.x.x:y:vpn-ip-address/32'> <item id='192.0.2.1:1:203.0.113.42/32'/>
</retract> </retract>
</pubsub> </pubsub>
</iq> </iq>
Update notification from Route Server to VPN Forwarder:
<message to='hostname.domain.org' from='network-control@domain.org'> The retract message uses the ItemId to identify the item being
retracted. The example retract message above uses the L3VPN NLRI
string representation ItemId format used in the publish example.
Consistent with XMPP Pub-Sub [pubsub] Event notifications will be
generated whenever a VPN route is added, modified or deleted. This
is true for VPN routes learned via XMPP clients as well as routes
learned via BGP. For VPN routes that are learned via BGP (rather
than XMPP clients) the Route Server SHOULD create XMPP Pub-Sub
Publish messages or otherwise take steps to publish a persistent item
under the NodeID associated with the VPN Identifier of the
appropriate VRF(s). Thus the Pub-Sub node will contain items for
every route for the associated VPN. Upon successfully publishing a
Pub-Sub item the XMPP server SHALL generate event notification
messages and send them to all VPN Forwarders that are actively
subscribed to that node. These event notifications SHOULD be sent as
soon as possible (without delay) in order to facilitate convergence
and consistent reachability.
Example update notification from Route Server to VPN Forwarder:
<message to='forwarder.domain.org' from='route-server@ietf.org'>
<event xmlns='http://jabber.org/protocol/pubsub#event'> <event xmlns='http://jabber.org/protocol/pubsub#event'>
<items node='vpn-customer-name'> <items node='vpn-customer-name'>
<item id='x.x.x.x:y:vpn-ip-address/32'> <item id='192.0.2.1:1:203.0.113.42/32'>
<entry xmlns='http://ietf.org/protocol/bgpvpn'> <entry xmlns='urn:ietf:params:xml:ns:bgp:l3vpn:unicast'>
<nlri> <nlri>
<af>1</af> <af>1</af>
<address>'vpn-ip-address>/32'</address> <address>203.0.113.42/32</address>
</nlri> </nlri>
<next-hops> <next-hops>
<next-hop> <next-hop>
<af>1</af> <af>1</af>
<address>'infrastructure-ip-address'</address> <address>192.0.2.1</address>
<label>10000</label> <!-- 20 bit number --> <label>10000</label>
<tunnel-encapsulation-list>
<tunnel-encapsulation>gre</tunnel-encapsulation>
<tunnel-encapsulation>udp</tunnel-encapsulation>
</tunnel-encapsulation-list>
</next-hop> </next-hop>
</next-hops> </next-hops>
<sequence-number>1</sequence-number> <sequence-number>1</sequence-number>
</entry> </entry>
</item> </item>
<item > <item >
... ...
</item> </item>
</items> </items>
</event> </event>
</message> </message>
Notifications should be generated whenever a VPN route is added, Notifications should be generated whenever a VPN route is added,
modified or deleted. These notification messages contain only items modified or deleted. These notification messages contain only items
that have been added, modified or deleted since the previous that have been added, modified or deleted since the previous
information sent to the VPN Forwarder. Notification messages can be information sent to the VPN Forwarder. Notification messages can be
segmented at the convinience of the Router Server. segmented at the convenience of the Router Server.
Note that the Update from the Route Server to the VPN Forwarder does Note that the Update from the Route Server to the VPN Forwarder does
not contain the "jid" of the destination end-system. The "from" not contain the JID of the destination end-system. The "from"
attribute in the 'message' element contains a "jid" associated with attribute in the 'message' element contains the Route Server JID.
the Route Servers in the domain. The XMPP messages are point-to- The XMPP messages are point-to-point in nature, between a Forwarder
point in nature, between a Forwarder and Route Server. Even in the and Route Server, even in the case when one XMPP publish request from
case when one XMPP publish request from a Forwarder may cause the a Forwarder may cause the Route Server to generate one or more event
Route Server to generate one or more event notifications. notifications.
The item "id" used in publish and retract messages must be unique The ItemId used in publish and retract messages MUST be unique within
within the context of a XMPP pubsub node. This specification uses an the context of an XMPP pubsub node as required by [pubsub].
id format that corresponds to the string representation of the route
such that the leading part corresponds to an IP identifier of the
end-system, followed by the 'instance-id' for the specific VRF and
the IP prefix in its canonical string representation.
When multiple possible routes exist for a given VPN IP address within When multiple possible routes exist for a given VPN IP address within
a VRF it is the responsibility of the Route Server to select the best a VRF it is the responsibility of the Route Server to select the best
path to advertise to the Forwarder. path to advertise to the VPN Forwarders. The routing entries
published by the Route Server to VPN Forwarders MAY include multiple
next-hop for the same forwarding entry. While BGP L3VPN NLRI encode
a single next-hop, multiple NLRI with different RDs may result in a
single forwarding entry in a VRF with multiple next-hops. This
functionality is known as "vrf multipath" in standard BGP L3VPN
implementations. This "vrf multipath" behavior can be applied to
both BGP and XMPP learned routing information. The criteria used for
multipath selection is outside the scope of this document but SHOULD
be consistent between the Route Servers within an administrative
domain.
A VPN Forwarder uses locally originated information to generate MPLS A VPN Forwarder uses locally originated information to generate MPLS
label forwarding state, used to forward downstream traffic (i.e. label forwarding state, used to forward downstream traffic (i.e.,
traffic received from the network). Upstream traffic (i.e. received traffic received from the network). Upstream traffic (i.e., received
from a virtual-interface) is forwarded according to the routing from a virtual interface) is forwarded according to the routing
information received from one or more Route Servers that the VPN information received from one or more Route Servers that the VPN
forwarder has an XMPP session with. In the case where multiple forwarder has an XMPP session with. In the case where multiple
Router Servers are providing routing information for a specific NLRI Router Servers are providing routing information for a specific NLRI
the VPN Forwarder SHOULD select the following algorithm: the VPN Forwarder SHOULD select the following algorithm:
Prefer the highest local-preference value; Prefer the highest local-preference value;
Prefer the highest sequence-number; Prefer the highest sequence-number;
Tie-break on the Route Server IP address. Tie-break on the Route Server IP address.
When routes are withdrawn, the End-System Route Server generates an When routes are withdrawn, the End-System Route Server generates an
item "retract" request. item "retract" request.
Route advertisements can have an optional sequence-number which help Route advertisements can have an optional sequence-number which help
the route server determine the most recent route advertisement. The the route server determine the most recent route advertisement. The
sequence number is detemined by an mechanism external to this sequence number is determined by a mechanism external to this
document. One example is to use time synchronization between compute document. One example is to use time synchronization between compute
nodes to have a globally coordinated timestamp. This timestamp can nodes to have a globally coordinated timestamp. This timestamp can
be used to identify the time of interface creation on the compute be used to identify the time of interface creation on the compute
node. node.
Routes can also be associated with a "local-preference" attribute. Routes can also be associated with a "local-preference" attribute.
This attribute mapps to the BGP attribute of the same name for the This attribute maps to the BGP attribute of the same name for the
purposes of route selection. purposes of route selection.
7. End-System Route Server behavior 7. End-System Route Server behavior
End-System Route Servers SHALL support the BGP address families: VPN- End-System Route Servers SHALL support the BGP address families: VPN-
IPv4 (1, 128), VPN-IPv6 (2, 128) and RT-Constraint (1, 132) IPv4 (1, 128), VPN-IPv6 (2, 128) and RT-Constraint (1, 132)
[RFC4684]. [RFC4684].
When an End-System Route Server receives a request to create or When an End-System Route Server receives a request to create or
modify a VPN route it SHALL generate a BGP VPN route advertisement modify a VPN route it SHALL generate a BGP VPN route advertisement
skipping to change at page 18, line 34 skipping to change at page 20, line 52
In order to better illustrate the operation of the protocol we In order to better illustrate the operation of the protocol we
consider a simple example in which "host 1" and "host 2" both contain consider a simple example in which "host 1" and "host 2" both contain
a virtual interface that is a member of the same VPN. a virtual interface that is a member of the same VPN.
Each of these hosts has an XMPP session with an End-System Route Each of these hosts has an XMPP session with an End-System Route
Server, RS1 and RS2 our example, and these Route Servers are part of Server, RS1 and RS2 our example, and these Route Servers are part of
the same BGP mesh. the same BGP mesh.
When a virtual interface is created on "host 1", the local XMPP When a virtual interface is created on "host 1", the local XMPP
client generates a XMPP subscription message to its respective Route client generates an XMPP subscription message to its respective Route
Server. This message contains a VPN identifier that has been Server. This message contains a VPN identifier that has been
assigned by the provisioning system. The Route Server maps that assigned by the provisioning system. The Route Server maps that
identifier to a BGP IP VPN configuration which contains the list of identifier to a BGP IP VPN configuration which contains the list of
import and export route targets to be used for that particular VRF. import and export route targets to be used for that particular VRF.
Once the interface is operational, "host 1" will publish any IP Once the interface is operational, "host 1" will publish any IP
addresses that are configured on the respective virtual interface. addresses that are configured on the respective virtual interface.
This will in turn cause the End-System Route Server to advertise This will in turn cause the End-System Route Server to advertise
these (directly or indirectly) to any other BGP speaker on the these (directly or indirectly) to any other BGP speaker on the
network which is connected to an attachment point of that VPN. network which is connected to an attachment point of that VPN.
+--------+ +------------+ +----------+ +--------+ +------------+ +----------+
| host 1 | <===> | End-System | <===> | BGP mesh | | host 1 | <===> | End-System | <===> | BGP mesh |
+--------+ |Route Server| +----------+ +--------+ |Route Server| +----------+
+------------+ +------------+
Figure 1 Figure 2
+----------------+-------------+-------+-----------+ +-----------------+---------------+-------+-----------+
| VPN IP address | NEXT-HOP | label | Known via | | VPN IP address | NEXT-HOP | label | Known via |
+----------------+-------------+-------+-----------+ +-----------------+---------------+-------+-----------+
| 10.1.1.1/32 | 192.168.1.1 | 10000 | XMPP | | 203.0.113.42/32 | 192.0.2.1 | 16 | XMPP |
| | | | | | | | | |
| 10.1.1.2/32 | 192.168.2.1 | 20000 | BGP | | 203.0.113.48/32 | 198.51.100.10 | 20 | BGP |
+----------------+-------------+-------+-----------+ +-----------------+---------------+-------+-----------+
VPN Routing table on Route Server VPN Routing table on Route Server
Table 1 Table 1
The figure above represents the contents of the VRF routing table on The figure above represents the contents of the VRF routing table on
RS1 after the IPv4 address 10.1.1.1 has been added to the virtual RS1 after the IPv4 address 203.0.113.42 has been added to the virtual
interface on host 1. It assumes that there is another attachement interface on host 1. It assumes that there is another attachment
point for this VPN with the IPv4 address of 10.1.1.2. Host 1 has an point for this VPN with the IPv4 address of 203.0.113.48. Host 1 has
infrastructure IP address of 192.168.1.1 configured on its physical an infrastructure IP address of 192.0.2.1 configured on its physical
interface while host 2 has IP address 192.168.2.1. interface while host 2 has IP address 198.51.100.10.
The contents of the VRF routing table in the End-System Route Servers The contents of the VRF routing table in the End-System Route Servers
are advertised via XMPP Update notifications sent to host 1. This are advertised via XMPP Update notifications sent to host 1. This
information is the used by the host to populate the forwarding table information is the used by the host to populate the forwarding table
associated with that VPN. associated with that VPN.
+--------+ +--------+ +--------+ +--------+
app -- veth0 --| host 1 |=== [network] ===| host 2 |-- veth0 -- app app -- veth0 --| host 1 |=== [network] ===| host 2 |-- veth0 -- app
+--------+ +--------+ +--------+ +--------+
IP pkt ===> encap (GRE + label) ===> [IP net] ===> decap ===> IP pkt IP pkt ===> encap (GRE + label) ===> [IP net] ===> decap ===> IP pkt
[192.168.2.1, 20] map 20 to veth0 [192.51.100.10, 20] map 20 to veth0
Figure 2 Figure 3
+----------------+--------------+-------+ +-----------------+---------------+-------+
| VPN IP address | Host address | label | | VPN IP address | Host address | label |
+----------------+--------------+-------+ +-----------------+---------------+-------+
| 10.1.1.1/32 | localhost | 10000 | | 203.0.113.42/32 | localhost | 16 |
| | | | | | | |
| 10.1.1.2/32 | 192.168.2.1 | 20000 | | 203.0.113.48/32 | 198.51.100.10 | 20 |
+----------------+--------------+-------+ +-----------------+---------------+-------+
VRF table on host1 VRF table on host1
Table 2 Table 2
When an application that uses the virtual interface on host 1 When an application that uses the virtual interface on host 1
generates packets with a destination IP address of 10.1.1.2 these are generates packets with a destination IP address of 203.0.113.48 these
routed by the VPN Forwarder implemented in the Host OS. The packets are routed by the VPN Forwarder implemented in the Host OS. The
are encapsulated with a header that contains a 20-bit label assigned packets are encapsulated with a header that contains a 20-bit label
by host 2. assigned by host 2.
In the case the virtual interface on host is associated with a guest In the case the virtual interface on the host is associated with a
OS, this guest OS has had its address resolution queries answered guest OS, this guest OS has had its address resolution queries
with the Virtual Router MAC address. As a result, that is the answered with the Virtual Router MAC address. As a result, that is
address it uses as the destination MAC address in packets it the address it uses as the destination MAC address in packets it
originates. This MAC address is not present on the encapsulated originates. This MAC address is not present on the encapsulated
packet. packet.
End-System Route Servers are software applications that implement End-System Route Servers are software applications that implement
both the BGP IP VPN PE control plane as well as XMPP server both the BGP IP VPN PE control plane as well as XMPP server
functionality. These applications are not in the forwarding plane functionality. These applications are not in the forwarding plane
and do not need to be co-located with a network device. and do not need to be co-located with a network device.
Network devices MAY have direct BGP sessions to the End-System Route Network devices MAY have direct BGP sessions to the End-System Route
Servers. For instance, a router or security appliance that supports Servers. For instance, a router or security appliance that supports
skipping to change at page 20, line 43 skipping to change at page 23, line 19
A symmetrical VPN uses a vrf import and vrf export polices that A symmetrical VPN uses a vrf import and vrf export polices that
contain a single route target, where the route target used for both contain a single route target, where the route target used for both
import and export is the same. import and export is the same.
Different VPN topologies can be created by manipulating the vrf Different VPN topologies can be created by manipulating the vrf
import and export configuration including "hub-and-spoke" topologies import and export configuration including "hub-and-spoke" topologies
or overlapping VPNs. or overlapping VPNs.
An example of a hub-and-spoke VPN configuration is one where all the An example of a hub-and-spoke VPN configuration is one where all the
traffic from the VPN clients must be redirected though a middle-box traffic from the VPN clients must be redirected though a middle-box
for inspection. Assuming that the virtual interfaces of a particular for inspection. Assume that the virtual interfaces of a particular
user are configured to be in the VPN "tenant1". At an initial stage user are configured to be in the VPN "tenant1". At an initial stage
this "tenant1" VPN is symmetrical and uses a single Route Target in this "tenant1" VPN is symmetrical and uses a single Route Target in
both its import and export policies. The middle-box functionality both its import and export policies. The middle-box functionality
can be incrementally deployed by defining a new VPN, "tenant1-hub", can be incrementally deployed by defining a new VPN, "tenant1-hub",
and an associated Route Target. Accompanied with a change in the and an associated Route Target. Accompanied with a change in the
End-System Route Server configuration such that VPN "tenant1" only End-System Route Server configuration such that VPN "tenant1" only
imports routes with the Route Target associated with the hub. The imports routes with the Route Target associated with the hub. The
"hub" VPN is assumed to advertise a prefix that covers all the VPN "hub" VPN is assumed to advertise a prefix that covers all the VPN
clients IP addresses. The "hub" VPN imports the VPN routes in order clients IP addresses. The "hub" VPN imports the VPN routes in order
for it to be able to generate the XMPP updates to the "hub" end- for it to be able to generate the XMPP updates to the "hub" end-
skipping to change at page 21, line 20 skipping to change at page 23, line 44
middle-box would often require connectivity to multiple VPNs, such as middle-box would often require connectivity to multiple VPNs, such as
for instance an "outside" VPN which provides external connectivity to for instance an "outside" VPN which provides external connectivity to
one or more "inside" VPNs. one or more "inside" VPNs.
The functionality defined in this document in which the BGP IP VPN PE The functionality defined in this document in which the BGP IP VPN PE
functionality is split into its control (End-System Route Servers) functionality is split into its control (End-System Route Servers)
and forwarding (VPN Forwarder) components is fully interoperable with and forwarding (VPN Forwarder) components is fully interoperable with
existing BGP IP VPN PEs. existing BGP IP VPN PEs.
This makes it possible to reuse existing systems. For example, at This makes it possible to reuse existing systems. For example, at
the edge of a data-center facility it may be desirable to use an the edge of a data center facility it may be desirable to use an
existing router or appliance that aggregates IP VPN routing existing router or appliance that aggregates IP VPN routing
information and/or provides IP based services such as stateful packet information and/or provides IP based services such as stateful packet
inspection. inspection.
Such a system can be configured, based on existing functionality, to Such a system can be configured, based on existing functionality, to
suppress more specific routes than a specified aggregate while suppress more specific routes than a specified aggregate while
advertising the aggregate with a BGP NEXT_HOP containing the PE's IP advertising the aggregate with a BGP NEXT_HOP containing the PE's IP
address and a locally assigned label corresponding to a VRF where the address and a locally assigned label corresponding to a VRF where the
more specific routes are present. more specific routes are present.
9. IANA Considerations 9. IANA Considerations
This document has no IANA actions. IANA has allocated the value 13 corresponding to "MPLS in UDP
Encapsulation" from the "BGP Tunnel Encapsulation Attribute Tunnel
Types" registry, using this document as reference. We request that
this allocation be made permanent.
This document defines a URN namespace used to encode L3VPN Unicast
routing information compliant with the registration procedure define
in [RFC3688].
URI: urn:ietf:params:xml:ns:bgp:l3vpn:unicast
Description: This is the XML namespace name for L3VPN Unicast
routing information.
Registrant Contact: IETF BESS Working Group <bess@ietf.org>
10. Security Considerations 10. Security Considerations
The signaling protocol defines the access control policies for each As with BGP/MPLS L3VPN, we assume that the tenant networks have no
virtual interface and any guest application associated with it. It direct reachability to the infrastructure network. The threat models
is important to secure the end-system access to End-System Route to consider are:
Servers and the BGP infrastructure itself.
The XMPP session between end-systems and the Route Servers MUST use The possibility that an attacker on a tenant network may inject
mutual authentication. One possible strategy is to distribute pre- traffic to a different network (for instance belonging to a
signed certificates to end-systems which are presented as proof of different tenant).
authorization to the Route Server.
BGP sessions MUST be authenticated. This document recommends that Denial of service attacks from within a tenant network.
BGP speaking systems filter traffic on port 179 such that only IP
addresses which are known to participate in the BGP signaling
protocol are allowed.
As a security measure, it is recommended that virtual and Attacks from a tenant network to the infrastructure via
infrastructure topologies never be allowed to exchange traffic unauthorized or malicious control traffic.
directly. The infrastructure network containing the end-systems is
typically isolated from the outside world. Attacks from within the infrastructure network.
BGP/MPLS L3VPN forwards traffic based on the contents of VRF tables,
calculated according to configured routing policy (route-target
import/export policies). It is assumed that the configuration
management system responsible to provision this policies only accepts
requests that are correctly authenticated and follow a pre-defined
access policy. It is also assumed that an attacker doesn't have the
ability to inject packets in the infrastructure that mimic the
encapsulated used between PE devices. This specification recommends
that operators ensure that MPLS over GRE and MPLS over UDP traffic is
not allowed to enter the infrastructure network. VPN forwarders MAY
also choose to perform a reverse path forwarding lookup (i.e., lookup
the source IP address of the payload packet) and discard traffic that
doesn't match the expected next-hop(s) for the reverse route.
As with BGP/MPLS L3VPN, an attacker on a tenant network may inject
packets that consume a disproportional share of infrastructure
resources, either in terms of bandwidth or CE packet forwarding
capacity. VPN forwarders SHOULD provide the ability to rate limit
traffic from a specific virtual interface. When the VPN forwarder
uses other finite resources on a per traffic basis such as internal
tables used to cache the result access control validation, it SHOULD
provide a mechanism to limit the usage of these resources on a per
virtual interface basis.
The control protocol exchanges between application instances (e.g.,
the virtual machine) behind a virtual interface and the VPN forwarder
are typically limited to ARP/ND exchanges and the proxying of
services such as DHCP and DNS. The ARP/ND information received from
the application instance SHOULD NOT be used to populate routing or
forwarding tables directly. The control of what MACs and IP
addresses are accepted by a virtual interface SHOULD reside on the
configuration management system that creates said virtual interface.
The XMPP session between end-systems and the Route Servers SHOULD use
TLS with mutual authentication. One possible strategy is to
distribute pre-signed certificates to end-systems which are presented
as proof of authorization to the Route Server. BGP sessions SHOULD
be authenticated. This document recommends that BGP speaking systems
filter traffic on port 179 such that only IP addresses which are
known to participate in the BGP signaling protocol are allowed.
11. XML schema 11. XML schema
The following schema defines the XML elements that are used to The following schema defines the XML elements that are used to
communicate unicast reachability information between the Route Server communicate unicast reachability information between the Route Server
and VPN Forwarder: and VPN Forwarder:
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
targetNamespace= targetNamespace=
"http://www.ietf.org/bgp-l3vpn-unicast.xsd"> "urn:ietf:params:xml:ns:bgp:l3vpn:unicast">
<xsd:simpleType name="TunnelEncapsulationType"> <xsd:simpleType name="TunnelEncapsulationType">
<xsd:restriction base="xsd:string"> <xsd:restriction base="xsd:string">
<xsd:enumeration value="gre"/> <xsd:enumeration value="gre"/>
<!-- RFC 4023 -->
<xsd:enumeration value="udp"/> <xsd:enumeration value="udp"/>
<xsd:enumeration value="vxlan"/> <!-- draft-ietf-mpls-in-udp -->
</xsd:restriction> </xsd:restriction>
</xsd:simpleType> </xsd:simpleType>
<xsd:complexType name="TunnelEncapsulationListType"> <xsd:complexType name="TunnelEncapsulationListType">
<xsd:sequence> <xsd:sequence>
<xsd:element name="tunnel-encapsulation" <xsd:element name="tunnel-encapsulation"
type="TunnelEncapsulationType" type="TunnelEncapsulationType"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xsd:sequence> </xsd:sequence>
</xsd:complexType> </xsd:complexType>
skipping to change at page 23, line 17 skipping to change at page 26, line 45
<xsd:element name="safi" type="xsd:integer"/> <xsd:element name="safi" type="xsd:integer"/>
<xsd:element name="address" type="xsd:string"/> <xsd:element name="address" type="xsd:string"/>
</xsd:sequence> </xsd:sequence>
</xsd:complexType> </xsd:complexType>
<xsd:complexType name="EntryType"> <xsd:complexType name="EntryType">
<xsd:all> <xsd:all>
<xsd:element name="nlri" type="IPAddressType"/> <xsd:element name="nlri" type="IPAddressType"/>
<xsd:element name="next-hops" type="NextHopListType"/> <xsd:element name="next-hops" type="NextHopListType"/>
<xsd:element name="sequence-number" type="xsd:integer"/> <xsd:element name="sequence-number" type="xsd:integer"/>
<xsd:element name="local-preference" type="xsd:integer"/> <xsd:element name="local-preference" type="xsd:integer"/>
</xsd:all> </xsd:all>
</xsd:complexType> </xsd:complexType>
<xsd:complexType name="ItemType"> <xsd:complexType name="ItemType">
<xsd:sequence> <xsd:sequence>
<xsd:element name="entry" type="EntryType"/> <xsd:element name="entry" type="EntryType"/>
</xsd:sequence> </xsd:sequence>
</xsd:complexType> </xsd:complexType>
<xsd:complexType name="ItemsType"> <xsd:complexType name="ItemsType">
<xsd:sequence> <xsd:sequence>
<xsd:element name="item" type="ItemType" <xsd:element name="item" type="ItemType"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xsd:sequence> </xsd:sequence>
</xsd:complexType> </xsd:complexType>
<xsd:element name="items" type="ItemsType"/> <xsd:element name="items" type="ItemsType"/>
skipping to change at page 23, line 47 skipping to change at page 27, line 27
12. Acknowledgements 12. Acknowledgements
Yakov Rekhter has contributed to this document by providing detailed Yakov Rekhter has contributed to this document by providing detailed
feedback and suggestions. The authors would also like to thank feedback and suggestions. The authors would also like to thank
Thomas Morin for his comments. Thomas Morin for his comments.
Amit Shukla and Ping Pan contributed to earlier versions of this Amit Shukla and Ping Pan contributed to earlier versions of this
document. document.
Benson Schliesser provided a detailed review of the document and help
clarify several sections.
13. References 13. References
13.1. Normative References
[RFC1027] Carl-Mitchell, S. and J. Quarterman, "Using ARP to 13.1. Normative References
implement transparent subnet gateways", RFC 1027, October
1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC4023] Worster, T., Rekhter, Y., and E. Rosen, "Encapsulating [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
MPLS in IP or Generic Routing Encapsulation (GRE)", RFC DOI 10.17487/RFC3688, January 2004,
4023, March 2005. <http://www.rfc-editor.org/info/rfc3688>.
[RFC4023] Worster, T., Rekhter, Y., and E. Rosen, Ed.,
"Encapsulating MPLS in IP or Generic Routing Encapsulation
(GRE)", RFC 4023, DOI 10.17487/RFC4023, March 2005,
<http://www.rfc-editor.org/info/rfc4023>.
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
Networks (VPNs)", RFC 4364, February 2006. Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February
2006, <http://www.rfc-editor.org/info/rfc4364>.
[RFC4456] Bates, T., Chen, E., and R. Chandra, "BGP Route [RFC4456] Bates, T., Chen, E., and R. Chandra, "BGP Route
Reflection: An Alternative to Full Mesh Internal BGP Reflection: An Alternative to Full Mesh Internal BGP
(IBGP)", RFC 4456, April 2006. (IBGP)", RFC 4456, DOI 10.17487/RFC4456, April 2006,
<http://www.rfc-editor.org/info/rfc4456>.
[RFC4684] Marques, P., Bonica, R., Fang, L., Martini, L., Raszuk, [RFC4684] Marques, P., Bonica, R., Fang, L., Martini, L., Raszuk,
R., Patel, K., and J. Guichard, "Constrained Route R., Patel, K., and J. Guichard, "Constrained Route
Distribution for Border Gateway Protocol/MultiProtocol Distribution for Border Gateway Protocol/MultiProtocol
Label Switching (BGP/MPLS) Internet Protocol (IP) Virtual Label Switching (BGP/MPLS) Internet Protocol (IP) Virtual
Private Networks (VPNs)", RFC 4684, November 2006. Private Networks (VPNs)", RFC 4684, DOI 10.17487/RFC4684,
November 2006, <http://www.rfc-editor.org/info/rfc4684>.
[RFC5512] Mohapatra, P. and E. Rosen, "The BGP Encapsulation [RFC5512] Mohapatra, P. and E. Rosen, "The BGP Encapsulation
Subsequent Address Family Identifier (SAFI) and the BGP Subsequent Address Family Identifier (SAFI) and the BGP
Tunnel Encapsulation Attribute", RFC 5512, April 2009. Tunnel Encapsulation Attribute", RFC 5512, DOI 10.17487/
RFC5512, April 2009,
<http://www.rfc-editor.org/info/rfc5512>.
[RFC5798] Nadas, S., "Virtual Router Redundancy Protocol (VRRP) [RFC5798] Nadas, S., Ed., "Virtual Router Redundancy Protocol (VRRP)
Version 3 for IPv4 and IPv6", RFC 5798, March 2010. Version 3 for IPv4 and IPv6", RFC 5798, DOI 10.17487/
RFC5798, March 2010,
<http://www.rfc-editor.org/info/rfc5798>.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 6120, March 2011. Protocol (XMPP): Core", RFC 6120, DOI 10.17487/RFC6120,
March 2011, <http://www.rfc-editor.org/info/rfc6120>.
[RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A.,
Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based
Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February
2015, <http://www.rfc-editor.org/info/rfc7432>.
[RFC7510] Xu, X., Sheth, N., Yong, L., Callon, R., and D. Black,
"Encapsulating MPLS in UDP", RFC 7510, DOI 10.17487/
RFC7510, April 2015,
<http://www.rfc-editor.org/info/rfc7510>.
[RFC7622] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Address Format", RFC 7622, DOI 10.17487/
RFC7622, September 2015,
<http://www.rfc-editor.org/info/rfc7622>.
[xep-0004]
Eatmon, R., Hildebrand, J., Miller, J., Muldowney, T., and
P. Saint-Andre, "Data Forms", XEP 0004, August 2007.
[pubsub] Millard, P., Saint-Andre, P., and R. Meijer, "Publish- [pubsub] Millard, P., Saint-Andre, P., and R. Meijer, "Publish-
Subscribe", XEP 0060, July 2010. Subscribe", XEP 0060, July 2010.
13.2. Informational References 13.2. Informational References
[RFC1027] Carl-Mitchell, S. and J. Quarterman, "Using ARP to
implement transparent subnet gateways", RFC 1027, DOI
10.17487/RFC1027, October 1987,
<http://www.rfc-editor.org/info/rfc1027>.
[RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J.,
and D. McPherson, "Dissemination of Flow Specification and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, August 2009. Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
<http://www.rfc-editor.org/info/rfc5575>.
[I-D.ietf-mpls-in-udp] [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection
Xu, X., Sheth, N., Yong, L., Pignataro, C., and F. (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010,
Yongbing, "Encapsulating MPLS in UDP", draft-ietf-mpls-in- <http://www.rfc-editor.org/info/rfc5880>.
udp-05 (work in progress), January 2014.
[I-D.ietf-l2vpn-evpn] [RFC7365] Lasserre, M., Balus, F., Morin, T., Bitar, N., and Y.
Sajassi, A., Aggarwal, R., Bitar, N., Isaac, A., and J. Rekhter, "Framework for Data Center (DC) Network
Uttaro, "BGP MPLS Based Ethernet VPN", draft-ietf-l2vpn- Virtualization", RFC 7365, DOI 10.17487/RFC7365, October
evpn-08 (work in progress), September 2014. 2014, <http://www.rfc-editor.org/info/rfc7365>.
[IEEE.802-1Q] [IEEE.802-1Q]
Institute of Electrical and Electronics Engineers, "Local Institute of Electrical and Electronics Engineers, "Local
and Metropolitan Area Networks: Virtual Bridged Local Area and Metropolitan Area Networks: Virtual Bridged Local Area
Networks", IEEE Std 802.1Q-2005, May 2006. Networks", IEEE Std 802.1Q-2005, May 2006.
Authors' Addresses Authors' Addresses
Pedro Marques Pedro Marques
Juniper Networks Juniper Networks
 End of changes. 109 change blocks. 
228 lines changed or deleted 448 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/