IETF Logo Mail Archive

Re: MPLS over L2TPv3 encap for RFC 2547 VPNs

"W. Mark Townsley" <townsley@cisco.com> Fri, 06 February 2004 16:14 UTC

Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA02839 for <l3vpn-archive@odin.ietf.org>; Fri, 6 Feb 2004 11:14:19 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ap8c3-0006Kt-P5 for l3vpn-archive@odin.ietf.org; Fri, 06 Feb 2004 11:13:52 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i16GDp4B024349 for l3vpn-archive@odin.ietf.org; Fri, 6 Feb 2004 11:13:51 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ap8c3-0006Ke-JC for l3vpn-web-archive@optimus.ietf.org; Fri, 06 Feb 2004 11:13:51 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA02800 for <l3vpn-web-archive@ietf.org>; Fri, 6 Feb 2004 11:13:48 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1Ap8c2-0007KU-00 for l3vpn-web-archive@ietf.org; Fri, 06 Feb 2004 11:13:50 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1Ap8b8-0007GR-00 for l3vpn-web-archive@ietf.org; Fri, 06 Feb 2004 11:12:55 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1Ap8aI-0007Cq-00 for l3vpn-web-archive@ietf.org; Fri, 06 Feb 2004 11:12:02 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ap8aF-00063K-Ke; Fri, 06 Feb 2004 11:11:59 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ap8a6-00061o-NU for l3vpn@optimus.ietf.org; Fri, 06 Feb 2004 11:11:50 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA02680 for <l3vpn@ietf.org>; Fri, 6 Feb 2004 11:11:46 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1Ap8a4-0007B9-00 for l3vpn@ietf.org; Fri, 06 Feb 2004 11:11:48 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1Ap8ZB-00078C-00 for l3vpn@ietf.org; Fri, 06 Feb 2004 11:10:53 -0500
Received: from rtp-iport-2.cisco.com ([64.102.122.149]) by ietf-mx with esmtp (Exim 4.12) id 1Ap8YU-00072D-00 for l3vpn@ietf.org; Fri, 06 Feb 2004 11:10:10 -0500
Received: from rtp-core-2.cisco.com (64.102.124.13) by rtp-iport-2.cisco.com with ESMTP; 06 Feb 2004 08:09:30 -0800
Received: from fruitpie.cisco.com (IDENT:mirapoint@fruitpie.cisco.com [64.102.16.27]) by rtp-core-2.cisco.com (8.12.9/8.12.6) with ESMTP id i16G9cYO011792; Fri, 6 Feb 2004 11:09:38 -0500 (EST)
Received: from cisco.com (ams-clip-vpn-dhcp177.cisco.com [10.61.64.177]) by fruitpie.cisco.com (Mirapoint Messaging Server MOS 3.3.6-GR) with ESMTP id AWU82813; Fri, 6 Feb 2004 08:09:36 -0800 (PST)
Message-ID: <4023BC3F.5040101@cisco.com>
Date: Fri, 06 Feb 2004 17:09:35 +0100
From: "W. Mark Townsley" <townsley@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Yakov Rekhter <yakov@juniper.net>
CC: mpls@UU.NET, l3vpn@ietf.org
Subject: Re: MPLS over L2TPv3 encap for RFC 2547 VPNs
References: <200402041955.i14Jt8h00257@merlot.juniper.net>
In-Reply-To: <200402041955.i14Jt8h00257@merlot.juniper.net>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: l3vpn-admin@ietf.org
Errors-To: l3vpn-admin@ietf.org
X-BeenThere: l3vpn@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=unsubscribe>
List-Id: <l3vpn.ietf.org>
List-Post: <mailto:l3vpn@ietf.org>
List-Help: <mailto:l3vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit


Yakov Rekhter wrote:

> Mark,
> 
> 
>>Yakov Rekhter wrote:
>>
>>
>>>Please document in your draft what is exactly "prudent" about BGP.
>>
>>Using draft-ietf-l3vpn-ipsec-2547-01.txt as a guide:
>>
>>"RFC2547 already provides an egress-to-ingress signaling capability via BGP, 
>>and we specify below how to extend this to the signalling of security policy."
>>
>>I will add this text to the l3vpn-l2tpv3 document:
>>
>>"RFC2547 already provides an egress-to-ingress signaling capability via BGP, 
>>[NALAWADE] or [RAGGARWA] specifies how to extend this to the signaling of 
>>L2TPv3 reachability information for a PE."
> 
> 
> Sorry, but the analogy with draft-ietf-l3vpn-ipsec-2547-01.txt does
> not work. This is because draft-ietf-l3vpn-ipsec-2547-01.txt does
> *not* replace IPSec signaling with BGP. All it does is specifying
> how to use BGP to indicate whether a particular VPN on a PE should
> use IPSec to get traffic to that PE.

Read again. The ipsec-2547 draft refers to encoding more than just whether or 
not to reach a PE via IPsec vs. MPLS (as if this is somehow OK, when advertising 
other bits of reachability information for the PE isn't).

Specifically, the draft refers to encoding of the BGP "IPsec Extended Community" 
or "Tunnel Type Extended Community" to:

- accept, deny, or direct traffic with different IPsec policies (e.g., how to 
process a packet based on the SPI received within the IPsec header).

- determine if a PE may be reached via GRE or IP (e.g., which IP protocol type 
and header format to use).

The l3vpn-l2tpv3 draft is encoding somewhat similar information. e.g., Accept an 
MPLS-labeled payload on the IP Protocol Type for L2TPv3, and process or drop it 
based on the Session/Cookie received in the L2TPv3 header.

Bottom line, if you throw out one, you are really going to have to throw out the 
other. Niether of which I think is a good idea.

> 
> In contrast your draft uses BGP not just to specify whether a
> particular VPN on a PE should use l2tp to get traffic to that PE,
> but also uses BGP to carry the l2tp session and cookie (l2tp signaling
> information). That is, in contrast to draft-ietf-l3vpn-ipsec-2547-01.txt
> your draft does replace the l2tp signaling protocol with BGP, thus
> eliminating the need for l2tp signaling with the l2tp signaling
> protocol.
> 
> Just tell us why BGP signaling is any better than l2tp signaling.

I will say it again. (1) This is an application of 2547 which is already using 
BGP, and (2) L2TP needs to distribute a *single* PE Session/Cookie to be used by 
every participating 2547-PE for VPN traffic destined to that PE (much like a 
single IP address is distributed to every participating PE for VPN traffic 
destined to that PE).

> 
> 
>>>That is, there is nothing in your draft that is specific to just 
>>
>> > 2547. E.g., it is equally applicable to VR based L3VPNs. Therefore,
>> > the draft has to be generalized to cover any multipoint-to-point
>> > application of MPLS over l2tp.
>>
>>No, the l3vpn-l2tpv3 draft specifies carrying an MPLS label for a VPN-IPv4 
>>address distributed via RFC2547 extensions to BGP between PEs. I should not 
>>extend this draft to cover other L3VPN models any more than 
>>draft-ietf-l3vpn-ipsec-2547-01.txt or draft-ietf-l3vpn-gre-ip-2547-00.txt 
>>should. Shall I rename it to something with "2547" in the title to be 
>>more clear?
> 
> 
> First of all I'd like to thank you for pointing that both
> draft-ietf-l3vpn-ipsec-2547-01.txt or draft-ietf-l3vpn-gre-ip-2547-00.txt
> took a fairly narrow point of view. This is a bug, not a feature,
> and therefore it should be fixed.

I have no problem with someone documenting how a VR-based VPN should work, but 
why do this in the same draft? Would you consider adding VR VPNs to 2547bis?

> 
> Second, the restriction on the applicability of your draft to 2547 is
> quite arbitrary. 

Hardly arbitrary.

> That is, there are *no* technical justifications for this restriction.

VRs and 2547 are different technical approaches, what technical justification is 
there for putting them in the *same* document?

 > And the fact that some other drafts took a fairly
> narrow view of the problem is no justification for continuing this.

And adding my document to the mix is justification for taking the other 
documents off course?

Write some VR text. I have absolutely no problem with that. But procedurally or 
technically I don't see why 2547 and VR must be a part of the same document.

- Mark

> 
> 
>>>>>3. The security claims have to be reviewed by the Security ADs.
>>
>>I am more than happy to have discussions with Security ADs on this topic.
> 
> 
> Thanks. Please post the outcome of this discussion to the list.
>  
> Yakov. 
>

v2.23.0 | Report a Bug | By Email