IETF Logo Mail Archive

RE: MPLS over L2TPv3 encap for RFC 2547 VPNs

richard.spencer@bt.com Fri, 06 February 2004 22:34 UTC

Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA26499 for <l3vpn-archive@odin.ietf.org>; Fri, 6 Feb 2004 17:34:30 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ApEY0-0005eQ-Ch for l3vpn-archive@odin.ietf.org; Fri, 06 Feb 2004 17:34:04 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i16MY4P2021716 for l3vpn-archive@odin.ietf.org; Fri, 6 Feb 2004 17:34:04 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ApEY0-0005dw-3v for l3vpn-web-archive@optimus.ietf.org; Fri, 06 Feb 2004 17:34:04 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA26474 for <l3vpn-web-archive@ietf.org>; Fri, 6 Feb 2004 17:34:00 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ApEXx-0000Tx-00 for l3vpn-web-archive@ietf.org; Fri, 06 Feb 2004 17:34:01 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1ApEXA-0000Q0-00 for l3vpn-web-archive@ietf.org; Fri, 06 Feb 2004 17:33:13 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1ApEW1-0000Lv-00 for l3vpn-web-archive@ietf.org; Fri, 06 Feb 2004 17:32:01 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ApEW2-0005Rw-6O; Fri, 06 Feb 2004 17:32:02 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AoZ3Q-0000bX-KL for l3vpn@optimus.ietf.org; Wed, 04 Feb 2004 21:15:44 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA13622 for <l3vpn@ietf.org>; Wed, 4 Feb 2004 21:15:41 -0500 (EST)
From: richard.spencer@bt.com
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AoZ3O-000009-00 for l3vpn@ietf.org; Wed, 04 Feb 2004 21:15:42 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AoZ2T-0007i2-00 for l3vpn@ietf.org; Wed, 04 Feb 2004 21:14:46 -0500
Received: from smtp3.smtp.bt.com ([217.32.164.138] helo=i2kc03-ukbr.domain1.systemhost.net) by ietf-mx with esmtp (Exim 4.12) id 1AoZ1a-0007Vi-00 for l3vpn@ietf.org; Wed, 04 Feb 2004 21:13:50 -0500
Received: from i2km95-ukbr.domain1.systemhost.net ([193.113.197.29]) by i2kc03-ukbr.domain1.systemhost.net with Microsoft SMTPSVC(5.0.2195.6713); Thu, 5 Feb 2004 02:13:20 +0000
Received: from i2km41-ukdy.domain1.systemhost.net ([193.113.30.29]) by i2km95-ukbr.domain1.systemhost.net with Microsoft SMTPSVC(5.0.2195.6713); Thu, 5 Feb 2004 02:13:19 +0000
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: MPLS over L2TPv3 encap for RFC 2547 VPNs
Date: Thu, 05 Feb 2004 02:13:18 -0000
Message-ID: <B5E87B043D4C514389141E2661D255EC03845039@i2km41-ukdy.domain1.systemhost.net>
Thread-Topic: MPLS over L2TPv3 encap for RFC 2547 VPNs
Thread-Index: AcPrWgvYNwpeEMcQSj67xeC4f+CSnwAKuQ8g
To: yakov@juniper.net, townsley@cisco.com
Cc: mpls@UU.NET, l3vpn@ietf.org
X-OriginalArrivalTime: 05 Feb 2004 02:13:19.0321 (UTC) FILETIME=[9F5EC490:01C3EB8D]
Content-Transfer-Encoding: quoted-printable
Sender: l3vpn-admin@ietf.org
Errors-To: l3vpn-admin@ietf.org
X-BeenThere: l3vpn@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=unsubscribe>
List-Id: <l3vpn.ietf.org>
List-Post: <mailto:l3vpn@ietf.org>
List-Help: <mailto:l3vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.3 required=5.0 tests=AWL, NO_REAL_NAME autolearn=no version=2.60
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable

Mark,

The justification for using L2TP as opposed to IP or GRE encapsulation over an IP PSN seems to be that security is improved. However, from what I understand security in an IP/GRE encapsulated PSN using 2547 is exactly the same as a PSN using MPLS, i.e. security is not an issue and is comparable to FR/ATM. That is unless the same PSN is to be used for carrying Internet traffic (natively, not inside a VPN) and customer VPN traffic, in which case the same security risks apply to MPLS 2547 networks and IP 2547 networks anyway. The inherent problem being that IP the control traffic shares the same data plane as the public Internet traffic, unlike ATM which uses an out-of-band control plane (and is the only sensible solution to the problem, i.e. use reserved labels for control/management traffic in MPLS).

>From an L2 perspective I can see that L2TP could be useful as it is well suited for encapsulating and signalling L2 tunnels. However, I do not see why L2TP is useful for L3 VPNs, why not just use GRE or IP encapsulations, which don't require any signalling? I could maybe understand if a provider was using L2TP for L2 services and wanted to reuse L2Tp for L3 services, but if so, why use BGP signalling why not use L2TP signalling?

Also, I do not agree with the use of the phrase "RFC 2547 Style VPNs", which is used several times within this draft. I would not consider RFC2547 to be a 'style' of VPNs, I would consider RFC2547 to be a specific VPN implementation, just like FR or ATM are specific VPN implantations. Why is the word 'style' used? Why not just say RFC 2547 VPNs?

Richard 

> -----Original Message-----
> From: owner-mpls@UU.NET [mailto:owner-mpls@UU.NET]On Behalf Of Yakov
> Rekhter
> Sent: 04 February 2004 20:55
> To: W. Mark Townsley
> Cc: mpls@UU.NET; l3vpn@ietf.org
> Subject: Re: MPLS over L2TPv3 encap for RFC 2547 VPNs 
> 
> 
> Mark,
> 
> > Yakov Rekhter wrote:
> > 
> > > Please document in your draft what is exactly "prudent" about BGP.
> > 
> > Using draft-ietf-l3vpn-ipsec-2547-01.txt as a guide:
> > 
> > "RFC2547 already provides an egress-to-ingress signaling 
> capability via BGP, 
> > and we specify below how to extend this to the signalling 
> of security policy."
> > 
> > I will add this text to the l3vpn-l2tpv3 document:
> > 
> > "RFC2547 already provides an egress-to-ingress signaling 
> capability via BGP, 
> > [NALAWADE] or [RAGGARWA] specifies how to extend this to 
> the signaling of 
> > L2TPv3 reachability information for a PE."
> 
> Sorry, but the analogy with draft-ietf-l3vpn-ipsec-2547-01.txt does
> not work. This is because draft-ietf-l3vpn-ipsec-2547-01.txt does
> *not* replace IPSec signaling with BGP. All it does is specifying
> how to use BGP to indicate whether a particular VPN on a PE should
> use IPSec to get traffic to that PE.
> 
> In contrast your draft uses BGP not just to specify whether a
> particular VPN on a PE should use l2tp to get traffic to that PE,
> but also uses BGP to carry the l2tp session and cookie (l2tp signaling
> information). That is, in contrast to 
> draft-ietf-l3vpn-ipsec-2547-01.txt
> your draft does replace the l2tp signaling protocol with BGP, thus
> eliminating the need for l2tp signaling with the l2tp signaling
> protocol.
> 
> Just tell us why BGP signaling is any better than l2tp signaling.
> 
> > > That is, there is nothing in your draft that is specific to just 
> >  > 2547. E.g., it is equally applicable to VR based L3VPNs. 
> Therefore,
> >  > the draft has to be generalized to cover any multipoint-to-point
> >  > application of MPLS over l2tp.
> > 
> > No, the l3vpn-l2tpv3 draft specifies carrying an MPLS label 
> for a VPN-IPv4 
> > address distributed via RFC2547 extensions to BGP between 
> PEs. I should not 
> > extend this draft to cover other L3VPN models any more than 
> > draft-ietf-l3vpn-ipsec-2547-01.txt or 
> draft-ietf-l3vpn-gre-ip-2547-00.txt 
> > should. Shall I rename it to something with "2547" in the 
> title to be 
> > more clear?
> 
> First of all I'd like to thank you for pointing that both
> draft-ietf-l3vpn-ipsec-2547-01.txt or 
> draft-ietf-l3vpn-gre-ip-2547-00.txt
> took a fairly narrow point of view. This is a bug, not a feature,
> and therefore it should be fixed.
> 
> Second, the restriction on the applicability of your draft to 2547 is
> quite arbitrary. That is, there are *no* technical justifications
> for this restriction. And the fact that some other drafts 
> took a fairly 
> narrow view of the problem is no justification for continuing this.
> 
> > >>>3. The security claims have to be reviewed by the Security ADs.
> > 
> > I am more than happy to have discussions with Security ADs 
> on this topic.
> 
> Thanks. Please post the outcome of this discussion to the list.
>  
> Yakov. 
>

v2.23.0 | Report a Bug | By Email