1 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS - IETF 62 L2VPN RADIUS Auto-discovery and provisioning draft-ietf-l2vpn-radius-pe-discovery-01.

Slides:

Advertisements

Similar presentations

Virtual Links: VLANs and Tunneling

Advertisements

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 BGP based Virtual Private Multicast Service Auto-Discovery and Signaling.

Juniper Networks, Inc. Copyright © L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Point-to-Multipoint Pseudowire Signaling and Auto-Discovery in Layer.

Classical Ethernet Services, Evolution to VPLS (an L2VPN), VPLS Operation Vishal Sharma, Ph.D. Metanoia, Inc. Web:

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—4-1 MPLS VPN Technology Introducing VPNs.

Layer 2 Tunneling Protocol (L2TP)

IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.

CS Summer 2003 Lecture 13. CS Summer 2003 MP_REACH_NLRI Attribute The MP_REACH_NLRI attribute is encoded as shown below:

IETF 59, March 2004Mustapha AïssaouiSlide 1 OAM Procedures for VPWS Interworking draft-aissaoui-l2vpn-vpws-iw-oam-00 Mustapha Aïssaoui, Matthew Bocci,

Draft-li-l2vpn-ccvpn-arch-00IETF 88 L2VPN1 An Architecture of Central Controlled Layer 2 Virtual Private Network (L2VPN) draft-li-l2vpn-ccvpn-arch-00 Zhenbin.

© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Planning the Enterprise-to-ISP Connection.

Requirements for MEF E-Tree Support in VPLS draft-key-l2vpn-vpls-etree-reqt-00 Presenter: Frederic Jounay IETF78, July 2010 Authors: Raymond Key Simon.

SMUCSE 8344 MPLS Virtual Private Networks (VPNs).

Network-based IP VPNs using Virtual Routers Tim Hubbard.

Network based IP VPN Architecture using Virtual Routers Jessica Yu CoSine Communications, Inc. Feb. 19 th, 2001.

Ietf-65 draft-kulmala-l3vpn-interas-option-d-02.txt ASBR VRF Context for BGP/MPLS IP VPN IETF-65 draft-kulmala-l3vpn-interas-option-d-02.txt Marko Kulmala.

Virtual Subnet : A L3VPN-based Subnet Extension Solution draft-xu-virtual-subnet-10 Xiaohu Xu (Huawei) Susan Hares (Huawei) Yongbing Fan.

© 2009 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IETF 84 – Vancouver August 2012 LSP Ping Support for P2MP PWs (draft-jain-pwe3-p2mp-pw-lsp-ping-00.txt)

Draft-boutros-bess-evpn-vpws-service-edge-gateway-00 Sami Boutros Ali Sajassi Patrice Brissette [Cisco Systems] Daniel Voyer [Bell Canada] IETF 92,

GVPNs: Generalized VPNs using BGP and GMPLS Toolkit draft-ouldbrahim-ppvpn-gvpn-bgpgmpls-06.txt Hamid Ould-Brahim Yakov Rekhter

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Virtual Private Networks Juha Heinänen Song Networks.

72nd IETF Dublin July 2008 Framework and Requirements for Virtual Private Multicast Service (VPMS) draft-kamite-l2vpn-vpms-frmwk-requirements-01.txt Yuji.

Dean Cheng Jouni Korhonen Mehamed Boucadair

1 AII Types for Aggregation draft-metz-aii-aggregate-00.txt Chris Metz, Luca Martini,

Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 71 – Philadelphia draft-ietf-ancp-framework-05.txt.

Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.

Draft-jounay-pwe3-p2mp-pw-requirements-00.txt IETF 68 PWE3 Working Group Prague, March 2007 F. Jounay, P. Niger, France Telecom Y. Kamite, NTT Communications.

Dynamic Virtual Networks (DVNE) Margaret Wasserman & Paddy Nallur November 11, 2010 IETF Beijing, China.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Planning the Addressing Structure Working at a Small-to-Medium Business.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 draft-martini-pwe ah-pw-03.txt Ali Sajassi July 29, ah.

RADIUS issues in IPv6 deployments draft-hu-v6ops-radius-issues-ipv6-01 J. Hu, YL. Ouyang, Q. Wang, J. Qin,

1 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS - IETF 61 L2VPN RADIUS Auto-discovery and provisioning Mark Townsley, Greg Weber, Wei Luo,

AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.

Multiaccess VPN Project. Team Members © 2002, Multiaccess VPN

BGP L3VPN Virtual CE draft-fang-l3vpn-virtual-ce-01 Luyuan Fang Cisco John Evans Cisco David Ward Cisco Rex Fernando Cisco John Mullooly Cisco Ning So.

1MPLS QOS 10/00 © 2000, Cisco Systems, Inc. rfc2547bis VPN Alvaro Retana Alvaro Retana

11/27/2015 draft-bocci-bryant-ms-pw-architecture-00.txt An Architecture for Multi-Segment Pseudo Wire Emulation Edge-to-Edge draft-bocci-bryant-pwe3-ms-pw-architecture-00.txt.

RADIUS 2-Aug-2007.

IETF 68, Prague 2007 Update on “BGP-based Auto- Discovery for L1VPNs” draft-ietf-l1vpn-bgp-auto-discovery-01.txt Don Fedyk Hamid Ould-Brahim.

Status of L3 PPVPN Working Group Documents August 2004 – San Diego IETF Ross Callon Ron Bonica Rick Wilder.

Status of L3 PPVPN Working Group Documents March 2005 – Minneapolis IETF Ross Callon Ron Bonica Rick Wilder.

L3VPN WG IETF 78 30/07/ :00-11:30 Chairs: Marshall Eubanks Danny McPherson Ben Niven-Jenkins.

MULTI-PROTOCOL LABEL SWITCHING Brandon Wagner. Lecture Outline  Precursor to MPLS  MPLS Definitions  The Forwarding Process  MPLS VPN  MPLS Traffic.

PG 1 Multi-Segment Pseudowire Setup & Maintenance using LDP draft-balus-mh-pw-control-protocol-02.txt Authors David McDysan (MCI), Mike Duckett (Bellsouth),

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

73rd IETF Minneapolis Nov Framework and Requirements for Virtual Private Multicast Service (VPMS) draft-kamite-l2vpn-vpms-frmwk-requirements-02.txt.

1 BGP ACCEPT_OWN Well-known Community Attribute L3VPN WG – Dublin July 2008 James Uttaro AT&T Labs Pradosh Mohapatra David J. Smith Cisco Systems, Inc.

Draft-jounay-pwe3-p2mp-pw-requirements-01.txt IETF 70 PWE3 Working Group Vancouver, December 2007 F. Jounay, P. Niger, France Telecom Y. Kamite, NTT Communications.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.

Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.

Dean Cheng 81 st IETF Quebec City RADIUS Extensions for CGN Configurations draft-cheng-behave-cgn-cfg-radius-ext

Network Access for Remote Users Dr John S. Graham ULCC

VS (Virtual Subnet) draft-xu-virtual-subnet-03 Xiaohu Xu IETF 79, Beijing.

BGP-based Auto-Discovery for L2VPNs draft-hlmu-l2vpn-bgp-discovery-00.txt Sue Hares - Vasile Radoaca -

RADIUS attributes commonly used in fixed networks draft-klammorrissette-radext-very-common-vsas-00 Devasena Morrissette, Frederic Klamm, Lionel Morand.

1 RST _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. SPVC Service Spanning ATM & PWE3/PSN George Swallow

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 Inter-domain SLA Exchange

MBGP and Customer Routes

MPLS Virtual Private Networks (VPNs)

BGP extensions for Path Computation Element (PCE) Discovery in a BGP/MPLS IP-VPN draft-kumaki-pce-bgp-disco-attribute-03.txt Kenji Kumaki KDDI R&D Labs,

Examples based on draft-cheng-supa-applicability-00.txt

Applicability Statement for Layer 1 Virtual Private Networks (L1VPNs) Basic Mode draft-takeda-l1vpn-applicability-basic-mode-00.txt Deborah Brungard (AT&T)

L2VPN Provisioning & Signaling

Signaling: Identifying PW Endpoints

Virtual Subnet : A L3VPN-based Subnet Extension Solution

Point-to-Multipoint Pseudo-Wire Encapsulation draft-raggarwa-pwe3-p2mp-pw-encaps-00.txt R. Aggarwal (Juniper)

78th IETF Meeting - Maastricht 27th, July 2010

Multicast in Virtual Router-based IP VPNs

Presentation transcript:

1 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS - IETF 62 L2VPN RADIUS Auto-discovery and provisioning draft-ietf-l2vpn-radius-pe-discovery-01 Mark Townsley, Greg Weber, Wei Luo, Skip Booth (Juha Heinanen) IETF 62

222 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 62 draft-ietf-l2vpn-radius-pe-discovery presented at IETF-61 Protocol-independent information model corresponding to multi-layered authorization Different layers may map to different protocol- specific solutions based on deployments RADIUS-specific mappings defined Collapsible layers

333 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 62 L2VPN Authorization Steps 1. CE/AC Authorization – Attachment Circuit to VPN ID 2. VPN Authorization – VPN ID to PE Membership 3. PW Authorization – PE Membership to PW signaling CE PE Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc.

444 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 62 L2VPN Authorization Steps 1. CE/AC Authorization – Attachment Circuit to VPN ID 2. VPN Authorization – VPN ID to PE Membership 3. PW Authorization – PE Membership to PW signaling CE PE Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc. VPN-ID=“101:14”

555 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 62 L2VPN Authorization Steps 1. CE/AC Authorization – Attachment Circuit to VPN ID 2. VPN Authorization – VPN ID to PE Membership CE PE Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc. VPN-ID=“101:14” PE-A PE-B 3. PW Authorization – PE Membership to PW signaling

666 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF CE/AC Authorization – Attachment Circuit to VPN ID 2. VPN Authorization – VPN ID to PE Membership 3. PW Authorization – PE Membership to PW signaling L2VPN Authorization Steps CE PE Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc. PE-A PE-B

777 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 62 Changes in the -01 version draft-ietf-l2vpn-radius-pe-discovery Updated terminology Generalized from VPLS to VPLS/VPWS/etc. Reduce L2VPN-specific requirements on RADIUS servers: e.g. make servers less stateful. Defined RADIUS attributes to support the above

888 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 62 AII: Attachment Individual Identifier AC: Attachment Circuit AGI: Attachment Group Identifier AS: Autonomous System CE: Customer Equipment L2VPN: Layer 2 Provider Provisioned Virtual Private Network NAI Network Access Identifier NAS: Network Access Server PE: Provider Equipment SAI: Source Attachment Identifier SAII: Source Attachment Individual Identifier RADIUS: Remote Authentication Dial In User Service TAI: Target Attachment Identifier TAII: Target Attachment Individual Identifier VPLS: Virtual Private LAN Service VPN: Virtual Private Network VPWS: Virtual Private Wire Service Updated Terminology Latest terminology from: draft-ietf-l2vpn-l2-framework-05 draft-ietf-l2vpn-signaling-03

999 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 62 RADIUS Attributes VPN-ID RFC 2685, “Virtual Private Networks Identifier” Router-Distinguisher draft-ietf-l3vpn-rfc2547bis-03, “BGP/MPLS IP VPNs” Attachment-Individual-ID draft-ietf-l2vpn-signaling-03, “Provisioning Models and Endpoint Identifiers in L2VPN Signaling” Per-Hop-Behavior RFC 3140, “Per Hop Behavior Identification Codes” PE-Router-ID draft-ietf-l2vpn-signaling-03, “Provisioning Models and Endpoint Identifiers in L2VPN Signaling” PE-Address IP address of PE PE-Record PE-Router-ID + AII [+PW attributes/value pairs]

10 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 62 RADIUS Transactions Access-RequestAccess-Response CE/AC Authorization User-Name = NAI or AC name NAS-IP-Address VPN-ID or Router-Distinguisher VSAs for circuit specific parameters VPN Authorization User-Name = VPN-ID or Router-Distinguisher NAS-IP-Address PE-Router-ID PE-Address Attachment-Individual-Identifier or Multiple PE-Records like: “PE-Router-ID:AII” Pseudowire Authorization User-Name = PE-Router-ID NAS-IP-Address VPN-ID or Router-Distinguisher Attachment-Individual-Identifier Per-Hop-Behavior Possibly DSCP setting Collapsed Transaction User-Name = NAI or AC name NAS-IP-Address Multiple PE-Records like: “PE-Router-ID:AII:PHB= ”

11 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 62 RADIUS Examples CE/AC Authorization Request User-Name = (CE NAI) NAS-IP-Address = " " Response VPN-ID = "100:14" Request User-Name = "ATM14.0.1" (AC Name) NAS-IP-Address = " " Response Router-Distinguisher = "1: :10001"

12 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 62 RADIUS Examples VPN Authorization Request User-Name = "100:14" (VPN-ID) NAS-IP-Address = " " Response PE-Record = " :14" (PE-Router-ID:AII) PE-Record = " :15" PE-Record = " :24" PE-Record = " :25" Request User-Name = "100:14" (VPN-ID) NAS-IP-Address = " " Response PE-Record = " :14:PHB=256"

13 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 62 RADIUS Examples Pseudowire Authorization Request User-Name = " " (PE-Router-ID) NAS-IP-Address = " " Attachment-Individual-ID = "14" VPN-ID = "100:14" Response Per-Hop-Behavior = "256"

14 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 62 To do… Address accounting Steps #1 & #3 most interesting Address dynamic authorization changes (via RFC 3576) Input from RADEXT WG (this week) Security, IANA Scalability Considerations for IPv6? How do CE credentials get to the PE for authenticated “zero-touch” provisioning?