Network-based IP VPNs using Virtual Routers Tim Hubbard

Backbone(s) VPN AVPN CVPN BVPN DVPN AVPN BVPN CVPN D PE CE P P P P Network based VPN Network Reference Model CE - Customer Edge Router PE - Provider Edge Router P - Provider Router CE

Network Based VPN Services Provider Edge Router (PE) VPN A VPN B VPN C Provider Edge Router (PE) VPN Service 1 VPN Service 2 VPN Service 3 VPN Service 1 VPN Service 2 VPN Service 3 VPN A VPN B VPN C Backbone(s)

Architecture Design Goals Flexibility –solution architected around choices Scalability –backbone, VPN, PE, etc. Resiliency –NB-VPN services resilient to failures, smooth migration, Manageability –multiple levels of control while reducing NB-VPN service, and network management complexity Reusability –existing management aspects, network mechanisms and tools Security –VPN service, VPN information (routing and data)

Architecture Requirements Per VPN routing and forwarding. No routing/forwarding based on private addresses in the backbone. Any routing protocol can be used in the VPN domain and in the backbone. Overlapping of VPN addresses. Not limited to a single tunneling mechanism. Accommodates different backbone deployment scenarios. Not limited to a single backbone technology

What is a Virtual Router? A virtual router (VR) is an emulation of physical router. A VR has the same mechanisms and functionality as physical routers. Each virtual router maintains separate routing and forwarding tables. Each virtual router can run any routing protocols (OSPF, RIP, BGP-4, etc).

VPN Tunneling Network-based VPNs are implemented through some form of tunneling mechanism. Different tunneling mechanisms can be used (MPLS, IPSec, GRE, L2TP, etc). The architecture allows per VPN tunnels, or using VPN shared tunnels across the backbone.

Scenario 1: - VR to VR Direct Connectivity VR-C VR-A VR-B VPN A VPN B VPN C PE VR-C VR-A VR-B Backbone (ATM, FR, MPLS, etc) PE VPN A VPN B VPN C

Virtual Router Backbone Aggregation Virtual router (called Backbone Virtual Router) for routing in the backbone used at the PE level only. IP or MPLS based tunnels between VRs for transport of VPN information across the backbone.

Scenario 2: - VPNs with Backbone VRs PE Backbone Routing SpaceVPN Routing Space The backbone virtual router is not functionally different than other virtual routers. Backbone VR Backbone VR-C VR-A VR-B VPN A VPN B VPN C

Scenario 3: - Combination of VR Deployment Scenarios VR-B VR-C Backbone VR VPN B VPN C Backbone(s) VR-A VPN A PE

Scenario 4: - Multiple Backbones VR-C VR-A VR-B Backbone VR-1 VPN A VPN B VPN C Backbone-1 VR-D VR-E Backbone VR-2 Backbone-2 VPN E VPN D PE

Scenario 5: - VPNs with Backdoor Links VR-C VR-A VR-B Backbone VR-1 VPN A VPN B VPN C Backbone-1 VR-C VR-A VR-B Backbone VR-1 VPN A VPN B VPN C

Scenario 6: - Outsourcing/Management of the PE VR-C VR-A VR-B Backbone VR-1 VPN A VPN B VPN C Backbone-1 VR-D VR-E Backbone VR-2 Backbone-2 VPN E VPN D PE Service Provider-1 Service Provider-2

Scenario 7: - Multi-protocol VPNs VR-C VR-A VR-B Backbone VR-1 VPN A IPv6 VPN B IPv4 VPN C IPv6 Backbone-1 IPv4/IPv6 PE

Scenario 8: - Backbone Migration Example VR-C VR-A VR-B Backbone VR-1 VPN A VPN B VPN C Backbone IPv4 Backbone VR-2 (MPLS) Backbone MPLS PE VPN services are migrated one at a time

Provider Edge Router 1 Virtual Router B Virtual Router A Virtual Router C Provider Edge Router 2 Virtual Router A Virtual Router C Virtual Router B Routing Instance Routing Instance Routing Update Routing Update Routing Update Backbone Per VPN Reachability Info Virtual Virtual Router Reachability Scheme Each routing instance is independent of each other. Routing Instance Routing Instance Routing Update Routing Update Routing Update Routing Instance Routing Instance Routing Update Routing Update Routing Update VPN A VPN B VPN C VPN A VPN B VPN C

Membership and Topology Determination Different mechanisms can be used (not mutually exclusives): Directory server approach. Explicit configuration Using a VPN auto-discovery mechanism

What can be discovered? VPN Auto-Discovery Tunnel Mechanism (optionally Tunnel endpoints) Membership Information Topology Information VPN Reachability Information (draft RFC2547) The virtual router architecture doesn’t require piggybacking VPN reachability information onto the backbone routing instance.

Discovering VPN Information Provider Edge Router (PE1) VPN A VPN B VPN C Backbone BGP BGP UPDATE BGP UPDATE VPN Information (membership, etc.) Provider Edge Router (PE2) BVR VR-C VR-A VR-B VR-C VR-A VR-B VPN A VPN B VPN C

Discovering Membership Information Provider Edge Router (PE1) VPN A VPN B VPN C Backbone VPN A VPN B VPN C BGP BGP UPDATE BGP UPDATE (VPN-IDs,PE-BVR) Provider Edge Router (PE2) BVR VPN-ID=1:1 VPN-ID=1:2 VPN-ID=1:3 VPN-ID=1:1 VPN-ID=1:2 VPN-ID=1:3 VR-C VR-A VR-B VR-C VR-A VR-B

Discovering Tunnel Endpoints Provider Edge Router (PE1) Backbone BGP BGP UPDATE BGP UPDATE (VPN-IDs, , PE- BVR) Provider Edge Router (PE2) BVR VPN-ID=1:1 VPN-ID=1:2 VPN-ID=1:3 VPN-ID=1:1 VPN-ID=1:2 VPN-ID=1:3 VR-C VR-A VR-B VR-C VR-A VR-B IPsec Tunnel VPN A VPN B VPN C VPN A VPN B VPN C

Discovering VPN Topology Information Provider Edge Router (PE1) Backbone BGP BGP UPDATE BGP UPDATE (1:1, hub, PE BVR) Provider Edge Router (PE2) BVR VPN-ID=1:1 VPN-ID=1:2 VPN-ID=1:3 VPN-ID=1:1 VPN-ID=1:2 VPN-ID=1:3 VR-C VR-A VR-B VR-C VR-A VR-B VPN A VPN B VPN C VPN A VPN B VPN C

BGP based Auto-Discovery Mechanism (for layer-3 VPNs) “Using BGP as an Auto-Discovery Mechanism for Network-based VPNs” Hamid Ould-Brahim, Bryan Gleeson, Peter Ashwood-Smith, Eric Rosen, Yakov Rekhter draft-ouldbrahim-bgpvpn-auto-00.txt

Conclusion Virtual Routers allow Service Providers to build differentiated network-based VPN services. The architecture is highly flexible and accommodates different tunneling mechanisms, and different backbone technologies.

Contacts Hamid Ould-Brahim Nortel Networks P. O. Box 3511 Station C Ottawa, ON, K1Y 4H7 Canada Phone: +1 (613) Bryan Gleeson Nortel Networks 2305 Mission College Blvd Santa Clara CA USA Phone: +1 (408)

Thank You