1 - 2 - 4 - 6 - 8 - A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - Q - R - S - T - U - V - W
VPN
Click on the red underlined text to get to the source
... BGP-MP] is then used by the Service Provider to exchange the
routes of a particular VPN among the PE routers that are attached to
that VPN ...
... VPN among the PE routers that are attached to
that VPN. This is done in a way that ensures that routes from
different VPNs remain distinct and separate, even if two VPNs ...
... that VPN. This is done in a way that ensures that routes from
different VPNs remain distinct and separate, even if two VPNs have an
overlapping address space ...
... VPN. This is done in a way that ensures that routes from
different VPNs remain distinct and separate, even if two VPNs have an
overlapping address space. The PE routers ...
... overlapping address space. The PE routers distribute, to the CE
routers in a particular VPN, the routes from other the CE routers in
that VPN ...
... VPN, the routes from other the CE routers in
that VPN. The CE routers do not peer with each other, hence there is
no "overlay" visible to the VPN ...
... VPN. The CE routers do not peer with each other, hence there is
no "overlay" visible to the VPN's routing algorithm. The term "IP"
...
... routing algorithm. The term "IP"
in "IP VPN" is used to indicate that the PE receives IP datagrams
...
... MPLS-ENCAPS] label; when BGP distributes
a VPN route, it also distributes an MPLS label for that route.
...
... MPLS label that corresponds, in
the customer's VPN, to the route that is the best match to the
packet's destination address ...
... the backbone core routers do not need to know the VPN routes.
The primary goal of this method ...
... extranet, an Internet Service Provider, an application service
provider, another VPN Service Provider that uses this same method to
offer VPNs ...
... VPN Service Provider that uses this same method to
offer VPNs to clients of its own, etc. The method makes it very
...
...
These subsets are Virtual Private Networks (VPNs). Two sites have IP
connectivity over the common backbone ...
... IP
connectivity over the common backbone only if there is some VPN that
contains them both. Two sites that have no VPN in common have no
...
... backbone only if there is some VPN that
contains them both. Two sites that have no VPN in common have no
connectivity over that backbone.
...
... backbone.
If all the sites in a VPN are owned by the same enterprise, the VPN
may be thought of as a corporate "intranet ...
...
If all the sites in a VPN are owned by the same enterprise, the VPN
may be thought of as a corporate "intranet". If the various sites in
...
... may be thought of as a corporate "intranet". If the various sites in
a VPN are owned by different enterprises, the VPN may be thought of
as an "extranet ...
... intranet". If the various sites in
a VPN are owned by different enterprises, the VPN may be thought of
as an "extranet". A site can be in more than one VPN ...
... VPN may be thought of
as an "extranet". A site can be in more than one VPN; e.g., in an
intranet and in several extranets ...
... intranet and in several extranets. In general, when we use the term
"VPN" we will not be distinguishing between intranets and extranets.
...
... Application Service Provider, another
SP that offers the same kind of VPN service to its own customers,
etc.
...
...
The policies that determine whether a particular collection of sites
is a VPN are the policies of the customers. Some customers will want
...
... The mechanisms we describe are general enough to allow these policies
to be implemented either by the SP alone or by a VPN customer
together with the SP ...
... The mechanisms discussed in this document allow the implementation of
a wide range of policies. For example, within a given VPN, one can
allow every site to have a direct route to every other site ("full
mesh ...
... discussion to the case in which the
customer is explicitly purchasing VPN service from an SP, or from a
set of SPs ...
... SP, or from a
set of SPs that have agreed to cooperate to provide the VPN service.
That is, the customer is not merely purchasing internet access ...
... internet access from
an SP, and the VPN traffic does not pass through a random collection
of interconnected SP networks.
...
...
In the rest of this introduction, we specify some properties that
VPNs should have. The remainder of this document specifies a set of
mechanisms that can be deployed to provide a VPN model that has all
...
... VPNs should have. The remainder of this document specifies a set of
mechanisms that can be deployed to provide a VPN model that has all
these properties. This section also introduces some of the technical
terminology used in the remainder of the document.
...
...
We will say that a PE router is attached to a particular VPN if it is
attached to a CE device that is in a site of that VPN ...
... VPN if it is
attached to a CE device that is in a site of that VPN. Similarly, we
will say that a PE router is attached to a particular site if it is
...
... inter-site routing issues. In other words, in the scheme
described in this document, a VPN is NOT an "overlay" on top of the
SP's network ...
... VPNs with Overlapping Address Spaces ...
...
If two VPNs have no sites in common, then they may have overlapping
address spaces. That is, a given address might be used in VPN ...
... VPNs have no sites in common, then they may have overlapping
address spaces. That is, a given address might be used in VPN V1 as
the address of system S1, but in VPN ...
... VPN V1 as
the address of system S1, but in VPN V2 as the address of a
completely different system S2. This is a common situation when the
...
... address of a
completely different system S2. This is a common situation when the
VPNs each use an RFC 1918 private address space. Of course, within
...
... address must be unambiguous.
Even two VPNs that do have sites in common may have overlapping
address spaces, as long as there is no need for any communication
between systems with such addresses ...
... VPNs with Different Routes to the Same System ...
...
Although a site may be in multiple VPNs, it is not necessarily the
case that the route to a given system at that site should be the same
...
... case that the route to a given system at that site should be the same
in all the VPNs. Suppose, for example, we have an intranet
consisting of sites A, B, and C, and an extranet ...
... router in an SP's backbone had to maintain routing
information for all the VPNs supported by the SP, there would be
severe scalability ...
... router. It is important therefore that the
routing information about a particular VPN only needs to be present
in the PE routers that attach to that VPN ...
... VPN only needs to be present
in the PE routers that attach to that VPN. In particular, the P
routers do not need to have ANY per-VPN routing information ...
... VPN. In particular, the P
routers do not need to have ANY per-VPN routing information
whatsoever. (This condition may need to be relaxed somewhat when
multicast routing ...
... backbone or "virtual backbone" to administer for each VPN. Site-to-
site routing in the backbone ...
... backbone is optimal (within the constraints of
the policies used to form the VPNs) and is not constrained in any way
by an artificial "virtual topology" of tunnels ...
...
VPNs of the sort being discussed here, even without making use of
cryptographic security measures, are intended to provide a level of
...
... Frame Relay) is used. That is, in the absence of misconfiguration or
deliberate interconnection of different VPNs, it is not possible for
systems in one VPN to gain access to systems in another VPN ...
... deliberate interconnection of different VPNs, it is not possible for
systems in one VPN to gain access to systems in another VPN. Of
course, the methods ...
... VPNs, it is not possible for
systems in one VPN to gain access to systems in another VPN. Of
course, the methods described herein do not by themselves encrypt ...
... or otherwise ceases to be the preferred route, but the two geographic
locations can continue to communicate by using the VPN backbone, then
one site has become two.)
...
... CE device is always regarded as being in a single site (though as
we shall see in Section 3.2, a site may consist of multiple "virtual
sites"). A site, however, may belong to multiple VPNs.
A PE router ...
... CE devices from any number of different
sites, whether those CE devices are in the same or in different VPNs.
A CE device may, for robustness, attach to multiple PE routers ...
... PE router maintains a number of separate forwarding tables. One
of the forwarding tables is the "default forwarding table". The
others are "VPN Routing and Forwarding tables", or "VRFs".
...
... VRF. The set of routes in that VRF should be limited
to the set of routes leading to sites that have at least one VPN in
common with S. Then a packet sent from S over a VRF attachment
circuit ...
... VRF attachment
circuit can only be routed by the PE to another site S' if S' is in
one of the same VPNs as S. That is, communication (via PE routers)
is prevented between any pair of VPN sites ...
... VPNs as S. That is, communication (via PE routers)
is prevented between any pair of VPN sites that have no VPN in
common. Communication between VPN sites ...
... PE routers)
is prevented between any pair of VPN sites that have no VPN in
common. Communication between VPN sites and non-VPN sites ...
... VPN sites that have no VPN in
common. Communication between VPN sites and non-VPN sites is
prevented by keeping the routes to the VPN sites ...
... VPN in
common. Communication between VPN sites and non-VPN sites is
prevented by keeping the routes to the VPN sites out of the default
...
... VPN sites and non-VPN sites is
prevented by keeping the routes to the VPN sites out of the default
forwarding table.
...
... VRFs, rather than with a single VRF. This can be
useful if it is desired to divide a single VPN into several
"sub-VPNs", each with different connectivity restrictions, where some
...
... useful if it is desired to divide a single VPN into several
"sub-VPNs", each with different connectivity restrictions, where some
characteristic of the customer packets is used to select from among
...
... characteristic of the customer packets is used to select from among
the sub-VPNs. For simplicity though, we will usually speak of an
attachment circuit as being associated with a single VRF ...
... with the sites of CE2 and CE3. Routes from sites that are not in VPN
V do not appear in these VRFs, which means that packets from CE2 ...
... PEs also need to learn, from other PEs, the routes that belong to a
given VPN. The procedures to be used for populating the VRFs with
the proper sets of routes are specified in Section 4.
...
... VRF unless each CE is in the exact same set
of VPNs as is the other.
If an attachment circuit ...
...
If an attachment circuit leads to a site which is in multiple VPNs,
the attachment circuit may still associated with a single VRF ...
... VRF, in
which case the VRF will contain routes from the full set of VPNs of
which the site is a member.
...
... VPN Route Distribution via BGP ...
... PE routers use BGP to distribute VPN routes to each other (more
accurately, to cause VPN routes to be distributed to each other).
...
... BGP to distribute VPN routes to each other (more
accurately, to cause VPN routes to be distributed to each other).
We allow each VPN ...
... VPN routes to be distributed to each other).
We allow each VPN to have its own address space, which means that a
given address ...
... own address space, which means that a
given address may denote different systems in different VPNs. If two
routes to the same IP address prefix ...
... The VPN-IPv4 Address Family ...
... from multiple "address families". We introduce the notion of the
"VPN-IPv4 address family". A VPN-IPv4 address is a 12-byte quantity,
...
... address families". We introduce the notion of the
"VPN-IPv4 address family". A VPN-IPv4 address is a 12-byte quantity,
beginning with an 8-byte Route Distinguisher ...
... RD) and ending with a
4-byte IPv4 address. If several VPNs use the same IPv4 address
prefix, the PEs translate these into unique VPN-IPv4 address ...
... VPNs use the same IPv4 address
prefix, the PEs translate these into unique VPN-IPv4 address
prefixes. This ensures that if the same address ...
... prefixes. This ensures that if the same address is used in several
different VPNs, it is possible for BGP to carry several completely
different routes to that address ...
... BGP to carry several completely
different routes to that address, one for each VPN.
Since VPN-IPv4 addresses ...
... information; it does not identify the origin of the route or the set
of VPNs to which the route is to be distributed. The purpose of the
RD ...
... extranet traffic. This can be achieved by creating two
different VPN-IPv4 routes that have the same IPv4 part, but different
RDs ...
... RDs are given this structure in order to ensure that an SP that
provides VPN backbone service can always create a unique RD when it
...
...
As stated, a VPN-IPv4 address consists of an 8-byte Route
Distinguisher followed by a 4-byte IPv4 address. The RDs ...
...
In this section, we discuss the way in which the distribution of the
VPN-IPv4 routes is controlled.
If a PE router ...
...
If a PE router is attached to a particular VPN (by being attached to
a particular CE in that VPN ...
... VPN (by being attached to
a particular CE in that VPN), it learns some of that VPN's IP routes
...
... a particular CE in that VPN), it learns some of that VPN's IP routes
from the attached CE router ...
... routing protocol; this is discussed in Section 7.
These routes are then converted to VPN-IP4 routes, and "exported" to
BGP. If there is more than one route ...
... BGP. If there is more than one route to a particular VPN-IP4 address
prefix, BGP chooses the "best" one, using the BGP decision process.
...
... BGP will again choose the
best route for a particular VPN-IP4 address prefix. Then the chosen
VPN-IP4 routes are converted back into IP routes ...
... route for a particular VPN-IP4 address prefix. Then the chosen
VPN-IP4 routes are converted back into IP routes, and "imported" into
one or more VRFs ...
... Targets". The two sets are distinct, and need not be the same. Note
that a particular VPN-IPv4 route is only eligible for installation in
a particular VRF if there is some Route Target ...
... agree in advance on the set of RTs that are allowed to be attached to
the customer's VPN routes. The CE could then attach one or more of
those RTs to each IP route ...
... PEs that are in the same Autonomous
System, the PEs can distribute VPN-IPv4 routes to each other by means
of an IBGP connection between them. (The term "IBGP ...
... BGP next hop". This address is encoded as a
VPN-IPv4 address with an RD of 0. ([BGP-MP] requires that the next
hop ...
... MPLS label. (Essentially, PE routers distribute not VPN-IPv4 routes,
but Labeled VPN-IPv4 routes. Cf. [MPLS-BGP ...
... PE routers distribute not VPN-IPv4 routes,
but Labeled VPN-IPv4 routes. Cf. [MPLS-BGP].) When the PE processes
...
... Quality of Service (QoS) characteristics. All that matters for the
VPN architecture is that some such tunnel exists. To ensure
interoperability ...
... tunnel exists. To ensure
interoperability among systems that implement this VPN architecture
using MPLS label switched paths as the tunneling technology ...
... Autonomous System Border Router (ASBR) for an inter-provider VPN (see
Section 10), should not install a VPN-IPv4 route unless it has at
...
... inter-provider VPN (see
Section 10), should not install a VPN-IPv4 route unless it has at
least one VRF with an Import Target ...
... to one of the PE's VRFs (a "VPN Join" operation), it must then
acquire the routes it may previously have discarded. This can be
...
...
A router that is not attached to any VPN and that is not a Route
Reflector (i.e., a P router) never installs any VPN-IPv4 routes ...
... VPN and that is not a Route
Reflector (i.e., a P router) never installs any VPN-IPv4 routes at
all.
...
... As a result of these distribution rules, no one PE ever needs to
maintain all routes for all VPNs; this is an important scalability
consideration.
...
... Route reflectors are the only systems that need to have routing
information for VPNs to which they are not directly attached.
However, there is no need to have any one route reflector know all
...
... However, there is no need to have any one route reflector know all
the VPN-IPv4 routes for all the VPNs supported by the backbone.
...
...
We outline below two different ways to partition the set of VPN-IPv4
routes among a set of route reflectors.
...
... with a block of Route Targets. This way, when a new Route
Target is needed for a new VPN, there is already one or more
route reflectors ...
... client of the route reflector(s) that maintain routes for
that VPN. Likewise, deleting an existing VPN from the PE ("VPN ...
... route reflector(s) that maintain routes for
that VPN. Likewise, deleting an existing VPN from the PE ("VPN
...
... VPN. Likewise, deleting an existing VPN from the PE ("VPN
Prune") may result in a situation where the PE ...
... brought down, only to be brought right back up.
(By "adding a new VPN to a PE", we really mean adding a new
import Route Target ...
... clients' "disappearance" is only temporary.
With this procedure, VPN Join and Prune operations are also
...
...
In these procedures, a PE router which attaches to a particular VPN
"auto-discovers" the other PEs that attach to the same VPN ...
... VPN
"auto-discovers" the other PEs that attach to the same VPN. When a
new PE router is added, or when an existing PE router ...
... PE router is added, or when an existing PE router attaches to a
new VPN, no reconfiguration of other PE routers is needed.
...
...
Just as there is no one PE router that needs to know all the VPN-IPv4
routes supported over the backbone, these distribution rules ensure
that there is no one Route Reflector ...
... Route Reflector (RR) that needs to know all the
VPN-IPv4 routes supported over the backbone. As a result, the total
number of such routes that can be supported over the backbone ...
... How VPN-IPv4 NLRI Is Carried in BGP ...
... the NLRI is an MPLS-labeled VPN-IPv4 address. AFI 1 is used since
the network layer protocol ...
... NLRI is still IP.
Note that this VPN architecture does not require the capability to
distribute unlabeled VPN-IPv4 addresses.
...
... Note that this VPN architecture does not require the capability to
distribute unlabeled VPN-IPv4 addresses.
In order for two BGP speakers ...
...
In order for two BGP speakers to exchange labeled VPN-IPv4 NLRI, they
must use BGP Capabilities Advertisement to ensure that they both are
...
... SAFI of 128.
The labeled VPN-IPv4 NLRI itself is encoded as specified in
[MPLS-BGP], where the prefix ...
... Building VPNs Using Route Targets ...
... Targets and Export Targets properly, one can
construct different kinds of VPNs.
Suppose it is desired to create ...
... Alternatively, suppose one desired, for whatever reason, to create a
"hub and spoke" kind of VPN. This could be done by the use of two
Route Target values, one meaning "Hub" and one meaning "Spoke". At
...
... methods for controlling the distribution of routing
information among various sets of sites are very flexible, which in
turn provides great flexibility in constructing VPNs.
...
... routers in the backbone do not have any
information about the routes to the VPNs, how are packets forwarded
from one VPN site to another?
...
... information about the routes to the VPNs, how are packets forwarded
from one VPN site to another?
When a PE ...
... route that best matches the
packet's destination address. Call this label the "VPN route label".
The IP packet is turned into an MPLS packet ...
... The IP packet is turned into an MPLS packet with the VPN route label
as the sole label on the label stack.
...
... PE routers (and any Autonomous System border routers) that
redistribute VPN-IPv4 addresses need to insert /32 address
prefixes for themselves into the IGP routing tables ...
... penultimate hop popping is used, the packet is then sent to
the IGP Next Hop, carrying only the VPN route label.
* Otherwise, the IGP Next Hop ...
... MPLS will then carry the packet across the backbone to the BGP
Next Hop, where the VPN label will be examined.
If the backbone ...
... MPLS, the MPLS packet carrying only
the VPN route label may be tunneled to the BGP Next Hop using the
techniques of [MPLS-in-IP-GRE ...
...
At the BGP Next Hop, the treatment of the packet depends on the VPN
route label (see Section 4.3.2). In many cases, the PE will be able
to determine, from this label, the attachment circuit ...
... VRF before being forwarded to a
CE device. There are also intermediate cases in which the VPN route
label may determine the packet's egress attachment circuit, but a
...
... PE.
The fact that packets with VPN route labels are tunneled through the
backbone is what makes it possible to keep all the VPN routes ...
... VPN route labels are tunneled through the
backbone is what makes it possible to keep all the VPN routes out of
the P routers. This is crucial to ensuring the scalability ...
... Maintaining Proper Isolation of VPNs ...
...
To maintain proper isolation of one VPN from another, it is important
that no router in the backbone ...
...
The PE routers that attach to a particular VPN need to know, for each
attachment circuit leading to that VPN ...
... VPN need to know, for each
attachment circuit leading to that VPN, which of the VPN's addresses
...
... attachment circuit leading to that VPN, which of the VPN's addresses
should be reached over that attachment circuit ...
... configured RD. The PE then treats these VPN-IPv4 routes as input to
BGP. Routes from a VPN site ...
... VPN-IPv4 routes as input to
BGP. Routes from a VPN site are NOT leaked into the backbone's IGP.
...
... route distribution techniques are possible
depends on whether or not a particular CE is in a "transit VPN". A
"transit VPN" is one that contains a router ...
... CE is in a "transit VPN". A
"transit VPN" is one that contains a router that receives routes from
a "third party ...
... a "third party" (i.e., from a router that is not in the VPN, but is
not a PE router) and that redistributes those routes to a PE router ...
... PE router) and that redistributes those routes to a PE router.
A VPN that is not a transit VPN is a "stub VPN". The vast majority
...
... A VPN that is not a transit VPN is a "stub VPN". The vast majority
of VPNs, including just about all corporate enterprise networks ...
... VPN is a "stub VPN". The vast majority
of VPNs, including just about all corporate enterprise networks,
would be expected to be "stubs" in this sense.
...
... 1. Static routing (i.e., configuration) may be used. (This is
likely to be useful only in stub VPNs.)
2. PE and CE routers ...
... PE router, say,
PE1, receives a VPN-IPv4 route R1, and as a result distributes
an IPv4 route ...
... routers), unless PE2
maps R2 to a VPN-IPv4 route that is different than (i.e.,
contains a different RD than) R1 ...
... OSPF peer of CE routers
that are in distinct VPNs, the PE must of course be running
multiple instances of OSPF ...
... OSPF are
redistributed into BGP as VPN-IPv4 routes. Extended Community
attributes are used to carry, along with the route ...
... route to be distributed to
other CE routers in the VPN in the proper type of OSPF Link
State ...
... address prefixes that are at the CE router's site. (This
technique can be used in stub VPNs or transit VPNs.)
...
... CE router's site. (This
technique can be used in stub VPNs or transit VPNs.)
This technique has a number of advantages over the others:
...
... administrators.
If a site is not in a transit VPN, note that it need not have a
unique Autonomous System Number (ASN ...
... ASN). Every CE whose site is
not in a transit VPN can use the same ASN. This can be chosen
from the private ASN space ...
... Origin
attribute (see below).
What if a set of sites constitutes a transit VPN? This will
generally be the case only if the VPN is itself an Internet
Service Provider ...
... What if a set of sites constitutes a transit VPN? This will
generally be the case only if the VPN is itself an Internet
Service Provider's (ISP's) network ...
... SP may be
called a "carrier's carrier". In this case, the best way to
provide the VPN is to have the CE routers support MPLS, and to
...
...
Before a PE can redistribute a VPN-IPv4 route learned from a site, it
must assign a Route Target attribute (see Section 4.3.1) to the
...
... not itself need to distribute the default route to other sites.
(E.g., if one site in a corporate VPN has the corporation's access to
the Internet, that site might need to have default distributed to the
...
... VPN services in turn to its own customers.
VPNs like these can also obtain backbone service from another SP ...
... CE routers should distribute to the PE routers ONLY those
routes that are internal to the VPN. This allows the VPN to be
handled as a stub VPN ...
... PE routers ONLY those
routes that are internal to the VPN. This allows the VPN to be
handled as a stub VPN.
...
... connections
among themselves for the purpose of exchanging external routes
(i.e., routes that lead outside of the VPN).
- All the external routes must be known to the CE routers ...
... BGP next hop is more than one hop away, the top label will be
replaced by two labels, a tunnel label and a VPN route label. If the
BGP next hop is one hop away, the top label may be replaced by just
...
... BGP next hop is one hop away, the top label may be replaced by just
the VPN route label. If the ingress PE is also the egress PE, the
...
... CE routers are the only routers in the
VPN that need to support MPLS. If, on the other hand, all the
routers ...
... MPLS. If, on the other hand, all the
routers at a particular VPN site support MPLS, then it is no longer
required that the CE routers ...
...
What if two sites of a VPN are connected to different Autonomous
Systems (e.g., because the sites are connected to different SPs)?
...
... SPs)?
The PE routers attached to that VPN will then not be able to maintain
IBGP connections with each other, or with a common route reflector ...
... route reflector.
Rather, there needs to be some way to use EBGP to distribute VPN-IPv4
addresses.
There are a number of different ways of handling this case, which we
...
... PE routers will be attached by
multiple sub-interfaces, at least one for each of the VPNs
whose routes need to be passed from AS to AS ...
... PE routers use IBGP to redistribute
labeled VPN-IPv4 routes either to an Autonomous System Border
Router (ASBR), or to a route reflector ...
... ASBR then uses EBGP to redistribute those labeled
VPN-IPv4 routes to an ASBR in another AS, which in turn
...
... ASBR which in turn distributes them, and so on.
When using this procedure, VPN-IPv4 routes should only be
accepted on EBGP connections at private peering points, as part
...
... EBGP connections at private peering points, as part
of a trusted arrangement between SPs. VPN-IPv4 routes should
neither be distributed to nor accepted from the public
Internet, or from any BGP peers ...
... it has actually distributed the top label to that peer.
If there are many VPNs having sites attached to different
Autonomous Systems, there does not need to be a single ASBR ...
... between those two ASes that holds all the routes for all the
VPNs; there can be multiple ASBRs, each of which holds only the
routes for a particular subset of the VPNs ...
... VPNs; there can be multiple ASBRs, each of which holds only the
routes for a particular subset of the VPNs.
This procedure requires that there be a label switched path ...
...
c) Multi-hop EBGP redistribution of labeled VPN-IPv4 routes
between source and destination ASes ...
... AS.
In this procedure, VPN-IPv4 routes are neither maintained nor
distributed by the ASBRs. An ASBR ...
... PE
routers in different ASes can establish multi-hop EBGP
connections to each other, and can exchange VPN-IPv4 routes
over those connections.
...
... Accessing the Internet from a VPN ...
...
Many VPN sites will need to be able to access the public Internet, as
well as to access other VPN sites ...
... VPN sites will need to be able to access the public Internet, as
well as to access other VPN sites. The following describes some of
the alternative ways of doing this.
...
... the alternative ways of doing this.
1. In some VPNs, one or more of the sites will obtain Internet
access by means of an "Internet gateway ...
... not be the same organization as the SP that is providing the
VPN service. Traffic to/from the Internet gateway ...
... redistribute it to other PEs and hence into other sites of the
VPN. This provides Internet access for all of the VPN's sites.
...
... VPN. This provides Internet access for all of the VPN's sites.
In order to properly handle traffic ...
... Internet, routes leading to addresses
that are within the VPN. This is completely independent of any
of the route distribution procedures described in this
...
... of the route distribution procedures described in this
document. The internal structure of the VPN will in general
not be visible from the Internet; such routes would simply lead
...
... Internet; such routes would simply lead
to the non-VRF interface that attaches to the VPN's Internet
gateway ...
... In this model, there is no exchange of routes between a PE
router's default forwarding table and any of its VRFs. VPN
route distribution procedures and Internet route distribution
...
... procedures are completely independent.
Note that although some sites of the VPN use a VRF interface to
communicate with the Internet ...
... Internet traverse a non-VRF interface before
leaving/entering the VPN, so we refer to this as "non-VRF
Internet access ...
...
3. Suppose the PE has the capability to store "non-VPN routes" in
a VRF. If a packet's destination address ...
... a VRF. If a packet's destination address matches a "non-VPN
route", then the packet is transmitted natively, rather than
being transmitted via MPLS. If the VRF ...
... being transmitted via MPLS. If the VRF contains a non-VPN
default route, all packets for the public Internet ...
... Management VPNs ...
... to the interface to come from either the address space of the VPN or
the address space of the SP ...
... following possibilities:
- Packets from within a VPN travel to a site outside the VPN, other
than in a manner consistent with the policies of the VPN ...
...
- Packets from within a VPN travel to a site outside the VPN, other
than in a manner consistent with the policies of the VPN.
...
... VPN travel to a site outside the VPN, other
than in a manner consistent with the policies of the VPN.
- Packets from outside a VPN ...
... VPN.
- Packets from outside a VPN enter one of the VPN's sites, other
than in a manner consistent with the policies of the VPN ...
...
- Packets from outside a VPN enter one of the VPN's sites, other
than in a manner consistent with the policies of the VPN.
...
... VPN enter one of the VPN's sites, other
than in a manner consistent with the policies of the VPN.
Under the following conditions:
...
... any labels lower in the stack will be inspected, and
2. labeled VPN-IPv4 routes are not accepted from untrusted or
unreliable routing peers,
...
... data plane security provided by this architecture is virtually
identical to that provided to VPNs by Frame Relay or ATM backbones ...
... If the devices under the control of the SP are properly configured,
data will not enter or leave a VPN unless authorized to do so.
Condition 1 above can be stated more precisely. One should discard a
...
... Condition 2 above is of most interest in the case of inter-provider
VPNs (see Section 10). For inter-provider VPNs constructed according
...
... VPNs (see Section 10). For inter-provider VPNs constructed according
to scheme b) of Section 10, condition 2 is easily checked. (The
issue of security ...
... [MPLS-in-IP-GRE]. If it is desired to use such tunnels to carry VPN
packets, then the security considerations described in Section 8 of
that document must be fully understood. Any implementation of
...
... security considerations described in Section 8 of
that document must be fully understood. Any implementation of
BGP/MPLS IP VPNs that allows VPN packets to be tunneled as described
in that document MUST contain an implementation of IPsec ...
... that document must be fully understood. Any implementation of
BGP/MPLS IP VPNs that allows VPN packets to be tunneled as described
in that document MUST contain an implementation of IPsec that can be
...