December 14, 2000 - 49th IETF - PPVPN BOF/WG minutes
Summary: Awaiting charter finalization from IESG and finalization of teams for various work items in about four weeks.
MINUTES:
1. Introduction and agenda bashing by chairs:
The chairs, Marco Carugi and Rick Wilder, started with agenda bashing. It was briefly explained that the charter of the previously proposed nbvpn working group would be expanded to include IPSec and Layer 2 VPNs within the scope of the new ppvpn working group. Thanks were expressed to Bryan Gleeson and Kireeti Kompella for preparing presentations on a short notice on IPSec and Layer 2 VPNs respectively.
Marco informed the audience that the term "nbvpn" would be changed to "ppvpn" on the mailing list, the website archive and all other relevant places to reflect the new name of the WG. The chairs also said that the charter of the new WG had not been finalized.
2. Message from Area Director - Rob Coltun :
The area director, Rob Coltun, said that in the interest of discussions on WG scope and charter, some of the presentations at the end of the agenda may lose out. Rob gave a brief overview of the proposed new area to include work on sub-IP technologies, generalized control, ppvpn etc. The idea would be to minimize/avoid potential overlap between WGs.
Questions/Comments:
Q. Eric Rosen : What are we trying to get done in the new area? Rob only mentioned better organization of work, but what is the actual work that will be done in the area, particularly the ppvpn WG?
A. Rob : This work didn't exist before, so we are doing new work and better organizing it.
Q. Rick Wilder: Rephrasing Eric's question, where are we at in terms of the status of this WG?
A. Rob: This effort (ppvpn) IS A WG at this time.
Q. Eric: We left Pittsburgh with an idea of a (nbvpn) WG. The IESG has been shuffling/adding/deleting work items. What is the clear criteria of this WG?
A. Rob: A revised charter has been proposed by the IESG. I admit the process has sucked and is frustrating!
Comment: Karthik Muthukrishnan : It would be good to discuss the charter now, rather than at the end.
The chairs took over and discussed the draft revised charter.
3. Draft charter - Rick Wilder:
Rick reiterated that the text was not finalized. Two main additions were made from the previous nbvpn charter -
1. Service scope: changed from network-based to provider-provisioned, hence broadened the scope.
2. Service providers may provide Layer 3 or Layer 2 services (introduction of Layer 2 is a change from previous charter). Examples include MPLS-based L2 vpns (Kompella draft).
IESG wants to highlight "service functional components"
Limits of scope:
- Service Provider's needs
- Functional architecture abstraction from transmission infrastructure
- Framework document
- Service requirements document
- Small number of ppvpn profiles (currently 2547bis-based and Virtual Router-based)
- foster interoperability between profiles
- document/identify gaps and shortcomings of each profile
Questions:
Q. Ananth Nagarajan: Since Layer 2 has been included within the scope of the charter, will ATM/Frame Relay based VPNs be also included?
A. Rick: Yes. IP-based VPNs over ATM/FR will not be excluded from scope.
Comment: Rob Coltun: Edge-to-edge encryption is also part of the scope of the WG.
A. Rick : Agreed.
4. Outline for a framework for NBVPN - Ross Callon 10 min
(draft-callon-NBVPN-outline-00.txt)
Main objectives: Discuss technical issues for ppvpns (since scope of original nbvpn has been widened, it will be necessary to update the draft to reflect the wider scope of ppvpn). Also describe trade-offs between the different approaches.
What the draft does not attempt to do :
- provide solutions for specific approaches
- Making choices in engineering tradeoffs
- protocol specifications
Why is this draft only an "outline for a framework" versus a "framework"?
- Authors could only agree on an outline in limited time available. Only rough text is currently in the draft, since the authors did not have time to agree on text. The outline will be "twiddled" as text is filled in.
- More people want to use VPNs than build VPNs. The former set of people should read the first four chapters and the latter should read the rest of the chapters
Questions/Comments:
Q. Bilel Jamoussi: Since you mentioned more people want to use VPNs, we need more service provider input in the draft. Would like to see more service providers among the co-authors.
A. Ross: Agreed.
5. Update of a framework for NBVPN - Muneyoshi Suzuki 13 min
(draft-suzuki-nbvpn-framework-02.txt)
Goals: Interworking, common service framework and common management framework.
Contents: assumed services, logical architecture and reference models, requirements for interfaces and MIBs.
Update from previous version:
- models updated to apply to Virtual Routers (VR) and VPN Routing/Forwarding (VRF) models
- Definitions of VR and VRF
- Addition to classification of interfaces : network-facing-side, intra-subnetwork and subnetwork interfaces.
Muneyoshi also mentioned that the targets of standardization work should include:
- customer facing side interface
- network facing side interface
- customer MIBs
- Device MIBs
Requirements for identifiers, interfaces and MIBs were also presented.
In conclusion, Muneyoshi mentioned that the draft needed to be revised to reflect the wider scope of the updated charter.
Questions/comments:
Q. Bilel: Will the two framework documents be merged?
A. Marco: A framework team will be formed and its task may include merging the two documents and developing a separate service requirement document and framework document.
Comment. Dave McDysan: The first goal of the framework doc is interworking. This goal is not achievable with the expansion of the scope to include managed CPE along with network-based VPNs. Suggest the use of the term "interconnect" instead.
A. Rick: Agreed. Interoperability will continue to be a goal.
6. Update of the MPLS VPN work at ITU SG13 - Carugi 5 min
(see "related ITU work" at //nbvpn.francetelecom.com)
Marco described the work being done in Question 20/Study Group 13 of the ITU-T under the study period 2000-2003 to develop a recommendation on network-based IP VPNs. The previous draft recommendation y.ipvpn is now split into draft y.1311 (generic recommendation on network-based vpn architectures) and y.1311.1 (network-based vpn architecture and service specifically using MPLS).
The work was initiated in the SG 13 meeting in Kyoto and continued in the interim meeting in Ottawa in September and the SG13 meeting in Geneva in November. In the Geneva meeting, additional requirements were specified, most of which will be moved to the generic recommendation y.1311. There was also a discussion on service models and the decomposition of VPNs to a Virtual Service Network and Virtual Transport Network.
Marco mentioned that an interim meeting would be held in Boston in February 2001 to progress work on the recommendations, especially y.1311.1 in time for the SG13 plenary in May 2001.
One of the main goals of the ITU-T work is to continue cooperation with the IETF. For example, the IETF may re-use some of the service requirements and service deployment scenarios that have been contributed by various service providers for the ITU-T recommendations. Further details on the ITU-T work are available at http://nbvpn.francetelecom.com/ituRelated.html
Marco also presented an outline of Y.1311.1 and mentioned that any sub-recommendation y.1311.X could be produced in the future based on market requirements.
Questions/Comments:
Q. Geoff Huston: Does the IETF have open access to the ITU-T documents?
A. Marco: no official answer to this from the ITU. The mentioned documents are informally accessible from the France Telecom PPVPN (NBVPN) web site.
Q. Dave McDysan: Charter of y.1311 looked adequate. Why not adopt this for PPVPN?
A. Rick: PPVPN also includes Layer 2 services which are outside the scope of y.1311
A. Rob Coltun: IETF work will also include "IpSec" VPNs (for lack of a better name) besides L2 VPNs.
Q. Yakov Rekhter: What is the reason for including Frame Relay and ATM (Layer 2) and not including SDH-based VPNs?
A. Rick: The scope of the WG is based on scaling, sharing and other practical considerations. Customer networks are using Frame Relay and ATM. This does not mean we are precluding SDH (will include based on customer feedback).
A. Rob: There would be potential overlap between PPVPN and the CEOT BOF.
7. IPSEC VPNs : context and main issues - Bryan Gleeson - 10 min
Bryan presented an overview of IPSec VPNs. The main objectives of this talk were to describe where IPSec can be used and to solicit requirements. CPE-based IPSec VPNs have existed for a long time. IPSec can be deployed in three scenarios : CPE-CPE, PE-PE and PE-CPE.
The CPE-CPE scenario would involve voluntary IPSec tunnels. These are typically site-to-site VPNs with arbitrary topologies (hub and spoke is most common). They include remote host dial-up, IPSec clients wherever available. The service provider only sees IP packets.
In the PE-PE scenario, we could have either Layer 3 or Layer 2 VPNs (wherein IPSec is tunneled within MPLS, as an example).
The CPE-PE scenario would provide secure remote access to a network-based VPN via compulsory IPSec tunnels.
Bryan mentioned the current IPSec-related WGs like IPSec, IPSP and IPSRA and their respective scopes. Requirements were solicited for the following:
- ability to associate IPSec tunnel with a VPN (example, add a VPN-ID to IKE2 negotiation)
- ability to run routing protocols over IPSec tunnels
- allow null encryption and null authentication
- more flexible diffserv marking rules.
Questions/Comments:
Q. Eric Rosen: Confused about what this WG needs to do in this space, since all the work has been done in other WGs. What is the specific additional requirement for service-provider-managed CPE-to-CPE IPSec VPNs versus unmanaged CPE-to-CPE VPNs?
A. Bryan: Agree with what Eric said. No answer to these questions.
A. Rick: To start with, this scope will just be included in the framework document. Then, we will be able to determine whether any additional work needs to be done.
Q. Suresh Krishnan: No need for "flexible" diffserv marking rules. What is meant by this?
A. Bryan: This is a specific requirement within IPSec specifications.
A. Shahram Davari: RFC 2983 describes Diffserv for IPSec tunnels.
8. Layer 2 VPNs : general introduction (context, main issues) ,
MPLS-based L2 VPNs - Kireeti Kompella 15 min
(draft-kompella-mpls-l2vpn-02.txt) min
Kireeti started off with a disclaimer that this was an example using MPLS, but it was independent of any Layer 2 technology under MPLS. The disadvantages of traditional Layer 2 VPNs are:
- multiple networks to manage
- complex provisioning
- topology dictated by cost rather than traffic patterns
- multiple networks - adds to the service providers' administrative burden
The first question that arises is how to decouple the edge (CE-facing) technology from the core technology and have a single network infrastructure for the desired service. One answer is MPLS, since it is layer 2 agnostic. One can have several services over MPLS. MPLS also provides label stacking and uses IP signaling, which works great and is highly extensible. One could use diffserv and traffic engineering mechanisms with MPLS. MPLS-based Layer 2 VPNs are independent of Layer 3 (IPX, IP etc). The service provider is not responsible for routing. Also, MPLS transport decouples the edge and core. It also enables the autoprovisioning of VPNs, and provides a single architecture for both Internet and VPN traffic.
The second question is whether the "P" (Private) in VPN is good enough? In other words, is the concept of different virtual circuits per VPN (e.g. ATM, FR, MPLS) good enough? Privacy is not equivalent to security. Encryption is a MUST if you want security. In CE-CE VPNs, IPSec should be used for security. In PE-PE VPNs, security should be achieved per-VPN and per PE-PE session.
The contrast between Layer 2 and Layer 3 VPNs is that, in the latter, the service provider participates in the customer's routing. This adds to the service provider's responsibilities. However, since the provider is able to look at IP packets, value-added services can be provided, but at an additional cost.
Questions/Comments:
Q. Bilel: What additional work needs to be done in L2 MPLS VPNs?
A. Andy Malis: Signaling
Comment. Ananth: This was just an example using MPLS. Suppose ATM/FR were used instead, then the work to be done would include ATM and FR signaling, which is clearly outside the scope of the IETF.
Q. Chandrasekhar Kathirvelu - There are clearly more advantages for L3 VPNs over L2. How is this approach different from BGP-MPLS VPNs (rf2547bis)?
A. Kireeti: Two things - one is the large number of routes in L2 VPNs,
Second is that L3 VPNs are independent of customers size.
Comment. Yakov: Since customers are asking for both L2 and L3 VPNs, we must do both.
9. OSPF as the PE-CE protocol in BGP/MPLS VPNs - Rosen 10 min
(draft-rosen-vpns-ospf-bgp-mpls-00.txt)
In the rfc2547-bis proposal, if the provider backbone runs OSPF as the IGP, VPN-IP routes from BGP must be imported by OSPF. OSPF tends to treat BGP routes as "second-class citizens" i.e., as external routes as opposed to inter or intra-area. This may be appropriate for BGP routes from the Internet, but not for BGP routes from a VPN. This draft attempts to address this issue by running OSPF between PE and CE. The main requirements are: a) to include routes from other VPN sites b) the VPN backbone should be able to connect two Area 0 segments c) Stick as much as possible to the basic principle of using BGP to distribute routes.
Eric described the solution for Inter-area and AS-external VPNs. The PE router is designated as Area 0 router and receives AS-external/inter-area routes from CE. The PE re-originates inter-area LSAs/external LSAs. Loop prevention in re-originated LSAs is achieved by route tag in external LSA and flag bit in inter-area LSA.
Eric also mentioned that the intra-area case (where 2 VPNs are in the same OSPF area) is complicated. It is only needed if the IGP backdoor link can't be an area0 link.
Questions/Comments:
Q (name not known): One of the advantages of rfc2547bis is not to have to manage PE-CE link. This draft introduces that problem. What is the value?
A. Eric: Somewhat agree, but this work was requested by a large number of people! It is also useful in transitional situations.
10. Using BGP as an Auto-Discovery Mechanism for NBVPN -