Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Yaakov (J) Stein June 2006 Chief Scientist RAD Data Communications
Contents
Ethernet PWs
Other PWs PWE control protocol
L2VPNs
LDP vs. BGP Provisioning VPLS Generalizations L3VPNs
Y(J)S PWE-VPLS Slide 2
Interworking
Tunneling - interworking
mating different network protocols is called interworking protocol converter goes by various names :
native network
infrastructure network
native network
customer network
leased line
customer network
physical link
customer network
provider network
customer network
Interworking motivation
there are many different types of network traffic (voice, video, file-xfer, etc)
all types fall into one of three classes: Real-time constant bit-rate Real-time variable bit-rate Non-real-time (packet) there are many different types of network (IP,ATM,FR,Eth,etc) most were originally designed for a specific type of traffic providers with one type of network infrastructure want to fully exploit it they desire to carry all types of network traffic
Service Interworking
Service interworking:
Native Service A
Native Service B
VPNs
IP
Ethernet
conventional model:
Ethernet is a LAN technology last 100m 10s of hosts IP is a WAN technology data transported in native IP different L2 technologies for last segment
customer network
physical link
customer network
emulated link
Customer customer Edge network (CE) Provider Provider provider Edge Edge network (PE) (PE) Customer Edge customer network (CE)
AC = Attachment Circuit
AC = Attachment Circuit
C C
CE
CE
customer 1 network
PE
P P
P
P PE
customer 2 network
C CE
provider network
C CE
customer 2 network
C CE P PE
C Key Customer router/switch Customer Edge router/switch customer 1 network Provider router/switch Provider Edge router/switch Y(J)S PWE-VPLS Slide 13
L3 encapsulation
for simplicity, lets think of an IP network : the traditional architecture uses the following packet formats:
WAN
WAN Eth hdr IP hdr payload Eth FCS Eth hdr IP hdr payload Eth FCS
Y(J)S PWE-VPLS Slide 14
VPN Challenges
192.115.243.19 192.115.243.79
SP network
192.115.243.19
Security Private IP addresses Multiple higher-layer protocols SP resource requirements Complex provider - customer relationship
Y(J)S PWE-VPLS Slide 15
2
MPLS network
1 MPLS label
IP header
1
192.115.243.19
payload
assume customers 1 and 2 use overlapping IP addresses then C-routers have inconsistent tables ingress PE-router pushes a label P-routers see only MPLS label P-routers dont see IP addresses - no ambiguity P-routers see only the MPLS label - not LAN IP addresses
VPN types
Legacy
proprietary leased-line (not virtual) Frame Relay over E1/T1 ATM over E1 or multiple-E1
Pure IP
IPSec tunnel L2TP tunnel
MPLS L3VPN
RFC4364 (ex 2547bis)
MPLS L2VPN
VPWS / VPLS
Y(J)S PWE-VPLS Slide 17
Pseudowires
Pseudowires
Packet Switched Network (PSN) network that forwards packets IPv4, IPv6, MPLS, Ethernet (although IETF does not touch) a pseudowire (PW) is a mechanism to tunnel through a PSN PWs are bidirectional (unlike MPLS LSPs)
providers PSN
Provider Edge (PE) PseudoWires (PWs)
native service
Customer Edge
(PE)
native service
P router
native service
P router P router
PE router
native service
P router
IETF PWE3 WG
In the Internet Area of the Internet Engineering Task Force
Native (layer 1,2) services : ATM (port mode, cell mode, AAL5-specific modes) FR Ethernet (DIX, 802.3, VLAN) TDM (SONET/SDH, E1, T1, E3, T3)
Supported Packet Switched Networks (PSNs) IPv4 IPv6 MPLS L2TPv3 (not Ethernet )
Y(J)S PWE-VPLS Slide 22
PWE3 WG Charter
Network interworking, not service interworking Must not exert controls on underlying PSN
but diffserv, RSVP-TE can be used
MPLS
Much of the PWE work is focused on MPLS
Dictionary:
ACs
CE CE
PE
PE
ACs
CE CE
each customer network mapped to pair of (unidirectional) LSPs supports various AC technologies each native packet/frame encapsulated with MPLS label scaling problem: requires large number of LSPs P-routers need to be aware of customer networks
(Martini) Pseudowires
CE CE
ACs
CE CE
ACs
CE CE
transport MPLS tunnel set up between PEs multiple PWs may be set up inside tunnel Native packet/frame encapsulated with 2 labels
payload
Example formats
MPLS PSN
tunnel label(s)
L2TPv3 PSN
PW label
control word
Payload
IP header
(5*4 B)
session ID (4 B)
optional cookie (4 or 8 B)
control word (4 B) payload
Y(J)S PWE-VPLS Slide 28
ITU-T SG13 Y.1411, Y.1412, Y.1413, Y.1414, Y.1415, Y.1452, Y.1453, X.84 ITU-T SG15 G.769, G.8261 MFA Forum (MPLS Frame Relay ATM) TDM over MPLS using AAL1 IA 4.0 I.366.2 over MPLS IA 5.0 af-aic-0178
TDM PWs
Steps in TDMoIP The synchronous bit stream is segmented The TDM segments are adapted TDMoIP control word is prepended PSN (IP/MPLS) headers are prepended (encapsulation) Packets are transported over PSN to destination PSN headers are utilized and stripped Control word is checked, utilized and stripped TDM stream is reconstituted (using adaptation) and played out
Y(J)S PWE-VPLS Slide 32
TDM Structure
handling of TDM depends on its structure unstructured TDM (TDM = arbitrary stream of bits)
structured TDM
framed
S Y N C (8000 frames per second) S Y N C (single byte timeslots) TS3 S Y N C
channelized
SYNC
signaling bits
TSn
multiframed
frame frame frame frame
Y(J)S PWE-VPLS Slide 33
multiframe
Ethernet PWs
Ethernet limitations
Ethernet LAN is the most popular LAN but Ethernet can not be made into a WAN
Ethernet is limited in distance between stations Ethernet is limited in number of stations on segment Ethernet is inefficient in finding destination address Ethernet only prunes network topology, does not route
so the architecture that has emerged is Ethernet private networks connected by public networks of other types (e.g. IP)
LAN WAN LAN
this model is not transparent Ethernet LAN interconnect Ethernet LANs with multiple higher layer packet types (e.g. IPv4, IPv6, IPX, SNA, CLNP, etc.) cant be interconnected raw L2 Ethernet frames can not be sent the Ethernet layer is terminated at WAN ingress the traffic is no longer Ethernet at all
Ethernet WAN not Ethernet
Y(J)S PWE-VPLS Slide 38
Ethernet
Ethernet X
Ethernet
Ethernet inside X
Y(J)S PWE-VPLS Slide 39
Ethernet frames can be carried over various WANs HDLC: not standardized, Cisco-HDLC FR: RFC2427 / STD0055 (ex 1490) ATM: RFC2684 / (ex 1483), LANE SONET/SDH/PDH: PoS (RFC 2615 ex RFC1619), LAPS (X.85/X.86), GFP (G.7041 )
Ethernet Frame usually has FCS stripped SP tag may also be stripped
Other PWs
SONET/SDH
HDLC / PPP Fiber channel
X.25
Generic ????
PWE control protocol (RFC 4447) used to set up / configure PWs used only by PW end-points (PEs in standard model) intermediate nodes (e.g. P routers) dont participate or see
P PE P PE P P P
based on LDP
targeted LDP is used to communicate with opposite end-point 2 new FECs for PWs new TLVs added for PW-specific functionality associates two labels with PW
PWE control
a PW is a bidirectional entity (two LSPs in opposite directions) a PW connects two forwarders 2 different LDP TLVs can be used PWid FEC (128) Generalized ID FEC (129) FEC 128
both end-points of PW must be provisioned with a unique (32b) value each PW end-point independently initiates LSP set up LSPs bound together into a single PW
FEC 129
used when autodiscovering PW end-points each end-point has attachment identifier (AI)
Y(J)S PWE-VPLS Slide 47
Generalized ID
for each forwarder we have a PE-unique Attachment Identifier (AI) <PE, AI> must be globally unique
frequently useful to group a set of forwarders into a attachment group where PWs may only be set up among members of a group
then Attachment Identifier (AI) consists of Attachment Group Identifier (AGI) (which is basically a VPN-id) Attachment Individual Identifier (AII) the LSPs making up the (two directions of the) PW are < PE1, (AGI, AII1), PE2, (AGI, AII2) > and < PE2, (AGI, AII2), PE1, (AGI, AII1) > we also need to define Source Attachment Identifier (SAI = AGI+SAII) Target Attachment Identifier (TAI = AGI+TAII)
receiving PE can map TAI uniquely to AC
PWE OAM
VCCV
VC (old name for PW) connectivity verification runs inside PW (same PW label) as an associated channel
inside VCCV several different OAM mechanisms may be used: ICMP LSP ping BFD ???
Multisegment PW (MS-PW)
T-PE
Single-Segment PW (SS-PW) requires PEs to see each other when multiple PSN domains this may not be the case Terminal-PEs interconnect via stitching-PE PW label becomes a true MPLS label (switching, swapping) when more than one S-PE need to ensure that the 2 LSPs traverse the same one
L2VPNs
VPWS
CE
AC
PE
PE
AC
CE
provider network
Virtual Private Wire Service is a L2 point-to-point service it emulates a wire supporting the Ethernet physical layer set up MPLS tunnel between PEs set up Ethernet PW inside tunnel CEs appear to be connected by a single L2 circuit
(can also make VPWS for ATM, FR, etc.)
Y(J)S PWE-VPLS Slide 54
VPLS
PE
CE
AC
CE
AC
PE
PE
AC
CE
VPLS emulates a LAN over an MPLS network set up MPLS tunnel between every pair of PEs (full mesh) set up Ethernet PW inside tunnels, for each VPN instance
VPLS
V B
CE CE
B V
V B
CE
VPLS code module (IETF drafts) Bridging module (standard IEEE 802.1D learning bridge)
(inside rectangle)
SP network
VPLS bridge
PE maintains a separate bridging module for each VPN (VPLS instance)
VPLS bridging module must perform: MAC learning MAC aging flooding of unknown MAC frames replication (for unknown/multicast/broadcast frames)
unlike true bridge, Spanning Tree Protocol is not used limited traffic engineering capabilities scalability limitations slow convergence forwarding loops are avoided by split horizon PE never forwards packet from MPLS network to another PE not a limitation since there is a full mesh of PWs so always send directly to the right PE
Y(J)S PWE-VPLS Slide 57
V B B V
CE CE
V B
CE CE
a packet from a PE: is only sent to a CE (split horizon) is sent to a particular CE based on 802.1D bridging
Y(J)S PWE-VPLS Slide 58
obtain frame from bridge encapsulate Ethernet frames and inject packet into PW
retrieve packet from PW removes PW encapsulation and forward Ethernet frame to bridge
CE
PE
?
PE
CE
in L2VPN CEs appear to be connected by single L2 network PEs are transparent to L3 routing protocols CEs are routing peers
in L3VPN CE routers appear to be connected by a single L3 network CE is routing peer of PE, not remote CE PE maintains routing table for each VPN
Y(J)S PWE-VPLS Slide 60
frames are still forwarded based on MAC DA (not L3VPN) but MAC forwarding tables updated via PW signaling, not 802.1D
PE snoops IP and ARP frames to discover CEs connected to it creates (AC,VPN-ID,IP-addr,MAC-addr) entry creates PWs to all PEs participating in VPN-ID sends entries to these PEs Address Resolution Protocol (ARP) messages are proxied rather than being carried transparently PE searches entries it has received
can support different AC types (Ethernet and FR) ARP Mediation ensures proper mapping
Y(J)S PWE-VPLS Slide 61
BGP multiprotocol (IPv4, IPv6, IPX, MPLS) highly complex protocol provides routing / label distribution
simpler protocol
only label distribution extendable for autodiscovery
BGP
header (19B) marker (16B) length (2B) type (1B) data (variable)
OPEN (for session initialization) UPDATE (add, change and withdraw routes) NOTIFICATION (return error messages, terminate session) KEEPALIVE (heartbeat)
BGP OPEN
version (1B) my AS (2B) hold time (2B) BGP-ID (2B) op len (1B) opt parameters (variable)
version (3 or 4)
my AS identifier of autonomous system hold time max time (sec) between receipt of messages BGP ID senders BGP identifier op len length (bytes) of optional parameters opt parameters - TLVs
BGP UPDATE
WR len withdrawn routes (2B) (var) PA len (2B) path attributes (var) NLRI (var)
Withdrawn Routes list of routes no longer to be used (NLRI format- see below)
Path Attributes route specific information (see next page) Network Layer Reachability Information (classless) routing information len (1B) prefix (variable)
the NLRI is a list of address-prefixes each prefix must be masked from the left to the length specified
T transitive/nontransitive bit
if 1 and attribute unrecognized it is passed along, else silently ignored well-known attributes are always transitive
BGP NOTIFICATON
error code (1B) error subcode (2B) data (var)
LDP
header (10B) version (2B) length (2B) LDP-ID (6B) messages (variable)
version presently 1
length - PDU length, excluding version and length fields LDP-ID identifies label space of sending LDP peer LSR-ID(4B) globally unique LSR ID label space ID (2B) for per-port label spaces (zero for per-platform label spaces) messages zero or more TLVs (see next page)
LDP messages
type (2B) length (2B) message-ID (4B) mandatory parameters (variable) optional parameters (variable)
type U
message code U unknown message bit if message type unknown to receiver U=0 receiver returns notification to sender U=1 receiver silently ignores
length - message length, excluding type and length fields Message-ID unique ID for message (for matching with returned notification)
if there are mandatory parameters, they most appear in a specific order optional parameters may appear in any order
Y(J)S PWE-VPLS Slide 71
LSR periodically transmits hello UDP messages multicast to all routers on subnet group targeted to preconfigured IP address
LSRs listen on this UDP port for hello messages
when LSR receives hello from another LSR it opens a TCP connection to that other LSR or (for extended discovery) it unicast transmits a hello back to the other LSR
LSR with higher ID sends session initialization message other LSR LDP accepts (sends keepalive) or rejects informative or keepalive messages sent
3.2
Y(J)S PWE-VPLS Slide 73
Provisioning VPLS
Provisioning
customers may want their SP to take an active role in managing their networks Provider Provisioned VPN (PPVPN) refers to VPN for which SP participates in management and provisioning
by provisioning we mean (at least) : setting up the ACs (often manual configuration) assigning global VPN-ID to VPN instances discovery of all PEs that participate in a VPN instance associating AC with VPN at PE providing PEs with information needed to set up tunnels configuring tunnels with necessary characteristics
Autodiscovery
we have assumed that each PE knows which PEs participate in particular VPN instance
VPWS Provisioning
Double Sided Provisioning
each AC provisioned with local name, remote PE address, and remote name during signaling, local name is sent as SAII, remote name as TAII (AGI = null) to connect 2 ACs by a PW: local name = remote name(PWid FEC) or local name of each must be remote name of the other
VPLS Provisioning
every VPLS instance is assigned a unique VPN-id PEs are preconfigured or find each other using auto-discovery if PE detects VPN-id to which it belongs it sets up a PW during signaling VPN-id is send as the AGI field SAII and TAII are set to null
LDP VPLS
ex-Lasserre-VKompella draft, now draft-ietf-l2vpn-vpls-ldp
authors: Marc Lasserre - Riverstone and Vach Kompella Alcatel
supported by Cisco, Nortel, Alcatel, Riverstone, Extreme, Luminous, Corrigent, Hatteras, Overture, RAD
use LDP for PW setup and tear-down signaling explicit withdrawal of MACs (force relearning) full mesh of targeted LDP sessions between VPLS-enabled PEs automatically establish a full mesh of Ethernet PWs participating PE sends an unsolicited label mapping message to every other PE, specifying VPN-ID (preferably with generalized PWid FEC element)
BGP VPLS
ex-Kompella draft, now draft-ietf-l2vpn-vpls-bgp
authors: Kireeti Kompella, Yakov Rekhter Juniper
autodiscovery (uses Route Target extended community as VPN-ID) PW setup and tear-down (uses Network Layer Reachability Information) force MAC relearning (uses Relearn Sequence Number TLV)
Generalizations
VPLS
Hierarchical VPLS
PE
MTU
VPLS
VPLS
MTU
PE
HVPLS
PE
MTU
VPLS
L3VPNs
C C
C CE PE P P PE
CE is IP router
C CE C
Virtual router (peering) model, not tunneling PE maintains Virtual Route Forwarding table for each VPN
L2VPN
vs.
L3VPN
BGP or LDP
all L3 traffic types only Ethernet L2 Cs responsible for routing overlay model
BGP
limited to IP traffic supports different L2 technologies SP responsible for routing
peer model
scales well