]> The IPv6 VPN Service Destination Option Juniper Networks
Herndon Virginia USA rbonica@juniper.net
CERNET Center/Tsinghua University
Beijing China xing@cernet.edu.cn
Old Dog Consulting
UK adrian@olddog.co.uk
NTT Communications Corporation
3-4-1 Shibaura Minato-ku Japan y.kamite@ntt.com
Verizon
Richardson Texas USA luay.jalil@one.verizon.com
Internet 6man IPv6, Destination Option, VPN This document describes an experiment in which VPN service information for both layer 2 and layer 3 VPNs is encoded in a new IPv6 Destination Option. The new IPv6 Destination Option is called the VPN Service Option. One purpose of this experiment is to demonstrate that the VPN Service Option can be implemented and deployed in a production network. Another purpose is to demonstrate that the security considerations, described in this document, are sufficient to protect use of the VPN Service Option. Finally, this document encourages replication of the experiment.
Introduction Generic Packet Tunneling allows a router in one network to encapsulate a packet in an IP header and send that packet across the Internet to another router, creating a virtual link. The receiving router removes the outer IP header and forwards the original packet into its own network. One motivation for Generic Packet Tunneling is to provide connectivity between two networks that share a private addressing plan but are not connected by direct links. In this case, all sites in the first network are accessible to all sites in the second network. Likewise, all sites in the second network are accessible to all sites in the first network. Virtual Private Networks (VPN) technologies provide additional functionality, allowing network providers to emulate private networks by using shared infrastructure. For example, assume that red sites and blue sites connect to a provider network. The provider network allows communication among red sites. It also allows communication among blue sites. However, it prevents communication between red sites and blue sites. The IETF has standardized many VPN technologies, including:
  • Layer 2 VPN (L2VPN) .
  • Layer 3 VPN (L3VPN) .
  • Virtual Private LAN Service (VPLS) .
  • Ethernet VPN (EVPN) .
  • Pseudowires .
The VPN technologies mentioned above share the following characteristics:
  • An ingress Provider Edge (PE) device tunnels customer data to an egress PE device. A popular tunnel technology for all of these VPN approaches is MPLS where the tunnel header includes an MPLS service label. The service label identifies a Forwarding Information Base (FIB) entry on the egress PE.
  • The egress PE removes the tunnel header, exposing the customer data. It then searches its FIB for an entry that matches the incoming service label. If the egress PE finds this entry, it forwards the customer data to a Customer Edge (CE) device. If it does not find this entry, it discards the packet.
The mechanism described above requires both PE devices (ingress and egress) to support MPLS. It cannot be deployed where one or both of the PEs does not support MPLS. This document describes an experiment in which VPN service information for both layer 2 and layer 3 VPNs is encoded in a new IPv6 Destination Option called the VPN Service Option. This option will allow VPNs to be deployed between Provider Edge routers that support IPv6 but do not support MPLS. One purpose of this experiment is to demonstrate that the VPN Service Option can be implemented and deployed in a production network. Another purpose is to demonstrate that the security considerations, described in this document, are sufficient to protect use of the VPN Service Option. Experimenters should report any security flaws that they discover. Finally, this document encourages replication of the experiment, so that operational issues can be discovered.
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 when, and only when, they appear in all capitals, as shown here.
The VPN Service Option The VPN Service Option is an IPv6 Destination Option encoded following the encoding rules defined in . As shown in section 4.2 of the IPv6 Destination Option contains three fields: Option Type, Opt Data Len, Option Data. For the VPN Service Option the fields are used as follows:
  • Option Type: 8-bit selector. VPN Service Option. This field MUST be set to RFC3692-style Experiment (0x5E). See Note below.
  • Opt Data Len - 8-bit unsigned integer. Length of the option, in octets, excluding the Option Type and Option Length fields. This field MUST be set to 4.
  • Option Data - 32 bits. VPN Service Information:
    • High-order 12 bits: Reserved. SHOULD be set to 0 by the sender and MUST be ignored by the receiver.
    • Low-order 20 bits: Identifies a FIB entry on the egress PE. The FIB entry determines how the egress PE will forward customer data to a CE device.
The VPN Service Option MAY appear in a Destination Options header that precedes an upper-layer header. It MUST NOT appear in any other extension header. If a receiver finds the VPN Service option in another extension header that it is processing, the option will be unrecognized, and the packet MUST be processed according to the setting of the two highest order bits of the Option Type (see NOTE below). NOTE: For this experiment, the Option Type is set to '01011110', i.e., 0x5E. The highest-order two bits are set to 01 to indicate that the required action by a destination node that does not recognize the option is to discard the packet. The third highest-order bit is set to 0 to indicate that Option Data cannot be modified along the path between the packet's source and its destination. The remaining low-order bits are set to '11110' to indicate the single IPv6 Destination Option Type code point available in the registry for experimentation.
Forwarding Plane Considerations The ingress PE encapsulates the customer payload in a tunnel header. The tunnel header contains:
  • An IPv6 header
  • An optional IPv6 Authentication Header (AH)
  • An IPv6 Destination Options Extension Header
The IPv6 header contains:
  • Version - Defined in . MUST be equal to 6.
  • Traffic Class - Defined in .
  • Flow Label - Defined in .
  • Payload Length - Defined in .
  • Next Header - Defined in . MUST be equal to either Authentication Header (51) or Destination Options (60).
  • Hop Limit - Defined in .
  • Source Address - Defined in . Represents an interface on the ingress PE device.
  • Destination Address - Defined in . Represents an interface on the egress PE device.
If the Authentication Header is present, it contains:
  • Next Header - Defined in . MUST be equal to Destination Options (60) or Encapsulating Security Payload (ESP) (50).
  • Payload Length - Defined in .
  • Reserved - Defined in . MUST be set to zero by the sender, and SHOULD be ignored by the recipient.
  • Security Parameters Index (SPI) - Defined in .
  • Sequence Number - Defined in .
  • Integrity Check Value (ICV) - Defined in .
IPsec processing of the AH and ESP headers would occur before the VPN Service Option is available for processing by tunnel egress PE. The IPv6 Destination Options Extension Header contains:
  • Next Header - Defined in . MUST identify the protocol of the customer data.
  • Hdr Ext Len - Defined in . MUST be equal to 0.
  • Options - * Options - Defined in . MUST contain exactly one VPN Service Option as defined in of this document.
Control Plane Considerations The FIB can be populated:
  • By an operator, using a Command Line Interface (CLI).
  • By a controller, using the Path Computation Element (PCE) Communication Protocol (PCEP) or the Network Configuration Protocol (NETCONF) .
  • By the Border Gateway Protocol (BGP) .
If the FIB is populated using BGP, BGP creates a Label-FIB (LFIB), exactly as it would if VPN service information were encoded in an MPLS service label. The egress PE queries the LFIB to resolve information contained by the VPN Service Option.
IANA Considerations This document does not make any IANA requests. However, if the experiment described herein succeeds, the authors will reissue this document, to be published on the Standards Track. The reissued document will request an IPv6 Destination Option number, and contain operational recommendations reguarding a migration to a new code point.
Security Considerations IETF VPN technologies assume that PE devices trust one another. If an egress PE processes a VPN Service Option from an untrusted device, VPN boundaries can be breached. The following are acceptable methods of risk mitigation:
  • Authenticate the packet option using the IPv6 Authentication Header (AH) or the IPv6 Encapsulating Security Payload (ESP) Header . If the ESP Header is used, it encapsulates the entire packet.
  • Maintain a limited domain.
All nodes at the edge limited domain maintain Access Control Lists (ACLs) that discard packets that satisfy the following criteria:
  • Contain an IPv6 VPN Service option.
  • Contain an IPv6 Destination Address that represents an interface inside of the secure limited domain.
The mitigation techniques mentioned above operate in fail-open mode. See Section 3 of for a discussion of fail-open and fail-closed modes. The mitigation techniques mentioned above also address the tunneling concerns raised in .
Deployment Considerations The VPN Service Option is imposed by an ingress PE and processed by an egress PE. It is not processed by any nodes along the delivery path between the ingress PE and egress PE. So, it is safe to deploy the VPN Service Option across the Internet. However, some networks discard packets that include IPv6 Destination Options. This is an impediment to deployment. Because the VPN Service Option uses an experimental code point, there is a risk of collisions with other experiments. Specifically, the egress PE may process packets from another experiment that uses the same code point. It is expected that, as with all experiments with IETF protocols, care is taken by the operator to ensure that all nodes participating in an experiment are carefully configured. Because the VPN Service Destination Option uses an experimental code point, processing of this option MUST be disabled by default. Explicit configuration is required to enable processing of the option.
Experimental Results Parties participating in this experiment should publish experimental results within one year of the publication of this document. Experimental results should address the following:
  • Effort required to deploy
    • Was deployment incremental or network-wide?
    • Was there a need to synchronize configurations at each node or could nodes be configured independently?
    • Did the deployment require hardware upgrade?
  • Effort required to secure
    • Performance impact
    • Effectiveness of risk mitigation with ACLs
    • Cost of risk mitigation with ACLs
  • Mechanism used to populate the FIB
  • Scale of deployment
  • Interoperability
    • Did you deploy two interoperable implementations?
    • Did you experience interoperability problems?
  • Effectiveness and sufficiency of OAM mechanisms
    • Did PING work?
    • Did TRACEROUTE work?
    • Did Wireshark work?
    • Did TCPDUMP work?
Acknowledgements Thanks to Gorry Fairhurst, Antoine Fressancourt, Eliot Lear and Mark Smith for their reviews and contributions to this document.
References Normative References IP Authentication Header This document describes an updated version of the IP Authentication Header (AH), which is designed to provide authentication services in IPv4 and IPv6. This document obsoletes RFC 2402 (November 1998). [STANDARDS-TRACK] IP Encapsulating Security Payload (ESP) This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. This document obsoletes RFC 2406 (November 1998). [STANDARDS-TRACK] A Border Gateway Protocol 4 (BGP-4) This document discusses the Border Gateway Protocol (BGP), which is an inter-Autonomous System routing protocol. The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information traverses. This information is sufficient for constructing a graph of AS connectivity for this reachability from which routing loops may be pruned, and, at the AS level, some policy decisions may be enforced. BGP-4 provides a set of mechanisms for supporting Classless Inter-Domain Routing (CIDR). These mechanisms include support for advertising a set of destinations as an IP prefix, and eliminating the concept of network "class" within BGP. BGP-4 also introduces mechanisms that allow aggregation of routes, including aggregation of AS paths. This document obsoletes RFC 1771. [STANDARDS-TRACK] Multiprotocol Extensions for BGP-4 This document defines extensions to BGP-4 to enable it to carry routing information for multiple Network Layer protocols (e.g., IPv6, IPX, L3VPN, etc.). The extensions are backward compatible - a router that supports the extensions can interoperate with a router that doesn't support the extensions. [STANDARDS-TRACK] Path Computation Element (PCE) Communication Protocol (PCEP) This document specifies the Path Computation Element (PCE) Communication Protocol (PCEP) for communications between a Path Computation Client (PCC) and a PCE, or between two PCEs. Such interactions include path computation requests and path computation replies as well as notifications of specific states related to the use of a PCE in the context of Multiprotocol Label Switching (MPLS) and Generalized MPLS (GMPLS) Traffic Engineering. PCEP is designed to be flexible and extensible so as to easily allow for the addition of further messages and objects, should further requirements be expressed in the future. [STANDARDS-TRACK] Security Concerns with IP Tunneling A number of security concerns with IP tunnels are documented in this memo. The intended audience of this document includes network administrators and future protocol developers. The primary intent of this document is to raise the awareness level regarding the security issues with IP tunnels as deployed and propose strategies for the mitigation of those issues. [STANDARDS-TRACK] Network Configuration Protocol (NETCONF) The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK] Internet Protocol, Version 6 (IPv6) Specification This document specifies version 6 of the Internet Protocol (IPv6). It obsoletes RFC 2460. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Address Allocation for Private Internets This document describes address allocation for private internets. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Generic Packet Tunneling in IPv6 Specification This document defines the model and generic mechanisms for IPv6 encapsulation of Internet packets, such as IPv6 and IPv4. [STANDARDS-TRACK] MPLS Label Stack Encoding This document specifies the encoding to be used by an LSR in order to transmit labeled packets on Point-to-Point Protocol (PPP) data links, on LAN data links, and possibly on other data links as well. This document also specifies rules and procedures for processing the various fields of the label stack encoding. [STANDARDS-TRACK] Unique Local IPv6 Unicast Addresses This document defines an IPv6 unicast address format that is globally unique and is intended for local communications, usually inside of a site. These addresses are not expected to be routable on the global Internet. [STANDARDS-TRACK] BGP/MPLS IP Virtual Private Networks (VPNs) This document describes a method by which a Service Provider may use an IP backbone to provide IP Virtual Private Networks (VPNs) for its customers. This method uses a "peer model", in which the customers' edge routers (CE routers) send their routes to the Service Provider's edge routers (PE routers); there is no "overlay" visible to the customer's routing algorithm, and CE routers at different sites do not peer with each other. Data packets are tunneled through the backbone, so that the core routers do not need to know the VPN routes. [STANDARDS-TRACK] Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling Virtual Private LAN Service (VPLS), also known as Transparent LAN Service and Virtual Private Switched Network service, is a useful Service Provider offering. The service offers a Layer 2 Virtual Private Network (VPN); however, in the case of VPLS, the customers in the VPN are connected by a multipoint Ethernet LAN, in contrast to the usual Layer 2 VPNs, which are point-to-point in nature. This document describes the functions required to offer VPLS, a mechanism for signaling a VPLS, and rules for forwarding VPLS frames across a packet switched network. [STANDARDS-TRACK] Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling This document describes a Virtual Private LAN Service (VPLS) solution using pseudowires, a service previously implemented over other tunneling technologies and known as Transparent LAN Services (TLS). A VPLS creates an emulated LAN segment for a given set of users; i.e., it creates a Layer 2 broadcast domain that is fully capable of learning and forwarding on Ethernet MAC addresses and that is closed to a given set of users. Multiple VPLS services can be supported from a single Provider Edge (PE) node. This document describes the control plane functions of signaling pseudowire labels using Label Distribution Protocol (LDP), extending RFC 4447. It is agnostic to discovery protocols. The data plane functions of forwarding are also described, focusing in particular on the learning of MAC addresses. The encapsulation of VPLS packets is described by RFC 4448. [STANDARDS-TRACK] Layer 2 Virtual Private Networks Using BGP for Auto-Discovery and Signaling Layer 2 Virtual Private Networks (L2VPNs) based on Frame Relay or ATM circuits have been around a long time; more recently, Ethernet VPNs, including Virtual Private LAN Service, have become popular. Traditional L2VPNs often required a separate Service Provider infrastructure for each type and yet another for the Internet and IP VPNs. In addition, L2VPN provisioning was cumbersome. This document presents a new approach to the problem of offering L2VPN services where the L2VPN customer's experience is virtually identical to that offered by traditional L2VPNs, but such that a Service Provider can maintain a single network for L2VPNs, IP VPNs, and the Internet, as well as a common provisioning methodology for all services. This document is not an Internet Standards Track specification; it is published for informational purposes. BGP MPLS-Based Ethernet VPN This document describes procedures for BGP MPLS-based Ethernet VPNs (EVPN). The procedures described here meet the requirements specified in RFC 7209 -- "Requirements for Ethernet VPN (EVPN)". Pseudowire Setup and Maintenance Using the Label Distribution Protocol (LDP) Layer 2 services (such as Frame Relay, Asynchronous Transfer Mode, and Ethernet) can be emulated over an MPLS backbone by encapsulating the Layer 2 Protocol Data Units (PDUs) and then transmitting them over pseudowires (PWs). It is also possible to use pseudowires to provide low-rate Time-Division Multiplexed and Synchronous Optical NETworking circuit emulation over an MPLS-enabled network. This document specifies a protocol for establishing and maintaining the pseudowires, using extensions to the Label Distribution Protocol (LDP). Procedures for encapsulating Layer 2 PDUs are specified in other documents. This document is a rewrite of RFC 4447 for publication as an Internet Standard. Internet Protocol Version 6 (IPv6) Parameters: Destination Options and Hop-by-Hop Options Internet Assigned Numbers Authority (IANA) Safe(r) Limited Domains Google, LLC Alston Networks Cisco Cisco Independent Documents describing protocols that are only intended to be used within "limited domains" often do not clearly define how the boundary of the limited domain is implemented and enforced, or require that operators of these limited domains perfectly filter at all of the boundary nodes of the domain to protect the rest of the global Internet from these protocols and vice-versa. This document discusses some design principles and offers mechanisms to allow protocols that are designed to operate in a limited domain "fail-closed" rather than "fail-open", thereby making these protocols safer to deploy on the Internet. These mechanism are not applicable to all protocols intended for use in a limited domain, but if implemented on certain classes of protocols, they can significantly reduce the risks.