MPLS and VPNs (David Andersen) (Nick Feamster) February 18, 2008

2 Packet Switching l Source sends information as self-contained packets that have an address. »Source may have to break up single message into multiple l Each packet travels independently to the destination host. »Routers and switches use the address in the packet to determine how to forward the packets l Destination recreates the message. l Analogy: a letter in surface mail.

3 Circuit Switching l Source first establishes a connection (circuit) to the destination. »Each router or switch along the way may reserve some bandwidth for the data flow l Source sends the data over the circuit. »No need to include the destination address with the data since the routers know the path l The connection is torn down. l Example: telephone network.

4 Circuit Switching Discussion l Traditional circuits: on each hop, the circuit has a dedicated wire or slice of bandwidth. »Physical connection - clearly no need to include addresses with the data l Advantages, relative to packet switching: »Implies guaranteed bandwidth, predictable performance »Simple switch design: only remembers connection information, no longest-prefix destination address look up l Disadvantages: »Inefficient for bursty traffic (wastes bandwidth) »Delay associated with establishing a circuit l Can we get the advantages without (all) the disadvantages?

5 Virtual Circuits l Each wire carries many “virtual” circuits. »Forwarding based on virtual circuit (VC) identifier – IP header: src, dst, etc. –Virtual circuit header: just “VC” »A path through the network is determined for each VC when the VC is established »Use statistical multiplexing for efficiency l Can support wide range of quality of service. »No guarantees: best effort service »Weak guarantees: delay < 300 msec, … »Strong guarantees: e.g. equivalent of physical circuit

6 Packet Switching and Virtual Circuits: Similarities l “Store and forward” communication based on an address. »Address is either the destination address or a VC identifier l Must have buffer space to temporarily store packets. »E.g. multiple packets for some destination arrive simultaneously l Multiplexing on a link is similar to time sharing. »No reservations: multiplexing is statistical, i.e. packets are interleaved without a fixed pattern »Reservations: some flows are guaranteed to get a certain number of “slots” ABACBD

7 Virtual Circuits Versus Packet Switching l Circuit switching: »Uses short connection identifiers to forward packets »Switches know about the connections so they can more easily implement features such as quality of service »Virtual circuits form basis for traffic engineering: VC identifies long-lived stream of data that can be scheduled l Packet switching: »Use full destination addresses for forwarding packets »Can send data right away: no need to establish a connection first »Switches are stateless: easier to recover from failures »Adding QoS is hard »Traffic engineering is hard: too many packets!

8 Packet switched vs. VC A B R2 R1 R3 R4 R1 packet forwarding table: Dst R2 R1 VC table: VC 1 R2 VC 2 R3 Different paths to same destination! (useful for traffic engineering!) VCI Payload Dst Payload Dst

9 Virtual Circuit A B R2 R1 R3 R4 R1 VC table: VC 5 R2 VCI Payload Dst R2 VC table: VC 5 R4 Challenges: - How to set up path? - How to assign IDs??

10 Virtual Circuit Switching: Label (“tag”) Swapping l Global VC ID allocation -- ICK! Solution: Per-link uniqueness. Change VCI each hop. Input Port Input VCI Output Port Output VCI R1: R2: R4: A B R2 R1 R3 R4Dst

11 Label (“tag”) Swapping l Result: Signalling protocol must only find per-link unused VCIs. »“Link-local scope” »Connection setup can proceed hop-by-hop. –Good news for our setup protocols!

12 Virtual Circuits In Practice l Asynchronous Transfer Mode (ATM): Teleco approach »Kitchen sink. Based on voice, support file transfer, video, etc., etc. »Intended as IP replacement. That didn’t happen. :) »Today: Underlying network protocol in many teleco networks. E.g., DSL speaks ATM. IP over ATM in some cases. l MPLS: The “IP Heads” answer to ATM »Stole good ideas from ATM »Integrates well with IP »Today: Used inside some networks to provide VPN support, traffic engineering, simplify core. l Other nets just run IP. l Older tech: Frame Relay »Only provided PVCs. Used for quasi-dedicated 56k/T1 links between offices, etc. Slower, less flexible than ATM.

13 ATM Cell Switching l Small, fixed-size cells [Fixed-length data][header] l Why? »Efficiency: All packets the same –Easier hardware parallelism, implementation »Switching efficiency: –Lookups are easy -- table index. »Result: Very high cell switching rates. »Initial ATM was 155Mbit/s. Ethernet was 10Mbit/s at the same time. (!) l How do you pick the cell size?

14 ATM Features l Fixed size cells (53 bytes). »Why 53? l Virtual circuit technology using hierarchical virtual circuits (VP,VC). l PHY (physical layer) processing delineates cells by frame structure, cell header error check. l Support for multiple traffic classes by adaptation layer. »E.g. voice channels, data traffic l Elaborate signaling stack. »Backwards compatible with respect to the telephone standards l Standards defined by ATM Forum. »Organization of manufacturers, providers, users

15 Why 53 Bytes? l Small cells favored by voice applications »delays of more than about 10 ms require echo cancellation »each payload byte consumes 125  s (8000 samples/sec) l Large cells favored by data applications »Five bytes of each cell are overhead l France favored 32 bytes »32 bytes = 4 ms packetization delay. »France is 3 ms wide. »Wouldn’t need echo cancellers! l USA, Australia favored 64 bytes »64 bytes = 8 ms »USA is 16 ms wide »Needed echo cancellers anyway, wanted less overhead l Compromise

16 Multi Protocol Label Switching - MPLS l Selective combination of VCs + IP »Today: MPLS useful for traffic engineering, reducing core complexity, and VPNs l Core idea: Layer 2 carries VC label »Could be ATM (which has its own tag) »Could be a “shim” on top of Ethernet/etc.: »Existing routers could act as MPLS switches just by examining that shim -- no radical re-design. Gets flexibility benefits, though not cell switching advantages Layer 2 header Layer 3 (IP) header Layer 2 header Layer 3 (IP) header MPLS label

17 MPLS + IP l Map packet onto Forward Equivalence Class (FEC) »Simple case: longest prefix match of destination address »More complex if QoS of policy routing is used l In MPLS, a label is associated with the packet when it enters the network and forwarding is based on the label in the network core. »Label is swapped (as ATM VCIs) l Potential advantages. »Packet forwarding can be faster »Routing can be based on ingress router and port »Can use more complex routing decisions »Can force packets to followed a pinned route

18 MPLS core, IP interface A B R2 R1 R3 R4 C D IP MPLS tag assigned IP MPLS forwarding in core MPLS tag stripped

19 MPLS use case #1: VPNs A B R2 R1 R3 R4 C D /24 MPLS tags can differentiate green VPN from orange VPN.

20 MPLS use case #2: Reduced State Core A R2 R1 R3 R4 C. EBGP A R2 R1 R3 R4 C EBGP IP Core MPLS Core A-> C pkt Internal routers must know all C destinations R1 uses MPLS tunnel to R4. R1 and R4 know routes, but R2 and R3 don’t.

21 MPLS use case #3: Traffic Engineering l As discussed earlier -- can pick routes based upon more than just destination l Used in practice by many ISPs, though certainly not all.

22 MPLS Mechanisms l MPLS packet forwarding: implementation of the label is technology specific. »Could be ATM VCI or a short extra “MPLS” header l Supports stacked labels. »Operations can be “swap” (normal label swapping), “push” and “pop” labels. –VERY flexible! Like creating tunnels, but much simpler -- only adds a small label. LabelCoSSTTL CoS: Class of Service S: Bottom of Stack

23 MPLS Discussion l Original motivation. »Fast packet forwarding: –Use of ATM hardware –Avoid complex “longest prefix” route lookup –Limitations of routing table sizes »Quality of service l Currently mostly used for traffic engineering and network management. »LSPs can be thought of as “programmable links” that can be set up under software control » on top of a simple, static hardware infrastructure

24 Layer 3 Virtual Private Networks Private communications over a public network A set of sites that are allowed to communicate with each other Defined by a set of administrative policies –determine both connectivity and QoS among sites –established by VPN customers –One way to implement: BGP/MPLS VPN mechanisms (RFC 2547)

25 Building Private Networks Separate physical network –Good security properties –Expensive! Secure VPNs –Encryption of entire network stack between endpoints Layer 2 Tunneling Protocol (L2TP) –“PPP over IP” –No encryption Layer 3 VPNs Privacy and interconnectivity (not confidentiality, integrity, etc.)

26 Layer 3 BGP/MPLS VPNs Isolation: Multiple logical networks over a single, shared physical infrastructure Tunneling: Keeping routes out of the core VPN A/Site 1 VPN A/Site 2 VPN A/Site 3 VPN B/Site 2 VPN B/Site 1 VPN B/Site 3 CE A1 CE B3 CE A3 CE B2 CE A2 CE 1 B1 CE 2 B1 PE 1 PE 2 PE 3 P1P1 P2P2 P3P3 10.1/ / / / / /16 BGP to exchange routes MPLS to forward traffic

27 High-Level Overview of Operation IP packets arrive at PE (Provider Edger router) Destination IP address is looked up in forwarding table for customer site Datagram sent to customer’s network using tunneling (i.e., an MPLS label-switched path)

28 BGP/MPLS VPN key components Forwarding in the core: MPLS Distributing routes between PEs: BGP Isolation: Keeping different VPNs from routing traffic over one another –Constrained distribution of routing information –Multiple “virtual” forwarding tables Unique addresses: VPN-IPV4 Address extension (8- byte Route Distinguisher (RD) added to IPV4 address)

29 Virtual Routing and Forwarding (VFR) Separate tables per customer at each router /24 RD: Green /24 RD: Blue /24 Customer 1 Customer 2 Customer 1 Customer 2

30 Routing: Constraining Distribution Performed by Service Provider using route filtering based on BGP Extended Community attribute – BGP Community is attached by ingress PE route – filtering based on BGP Community is performed by egress PE Site 1Site 2Site 3 Static route, RIP, etc. RD: /24 Route target: Green Next-hop: A A /24 BGP

31 BGP/MPLS VPN Routing in Cisco IOS ip vrf Customer_A rd 100:110 route-target export 100:1000 route-target import 100:1000 ! ip vrf Customer_B rd 100:120 route-target export 100:2000 route-target import 100:2000 Customer ACustomer B

32 Forwarding PE and P routers have BGP next-hop reachability through the backbone IGP Labels are distributed through LDP (Label Distribution Protocol) (hop-by-hop) corresponding to BGP Next-Hops Two-Label Stack is used for packet forwarding Top label indicates Next-Hop (interior label) Second level label indicates outgoing interface or VRF (exterior label) IP Datagram Label 2 Label 1 Layer 2 Header Corresponds to LSP (Label Switched Path) of BGP next-hop (PE) Corresponds to VRF/interface at exit

33 Forwarding in BGP/MPLS VPNs Step 1: Packet arrives at incoming interface –Site VRF determines BGP next-hop and Label #2 IP Datagram Label 2 Step 2: BGP next-hop lookup, add corresponding LSP (also at site VRF) IP Datagram Label 2 Label 1