1 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS - IETF 61 L2VPN RADIUS Auto-discovery and provisioning Mark Townsley, Greg Weber, Wei Luo, Skip Booth (Juha Heinanen) IETF 61
222 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 61 Some issues with current version of draft-ietf-l2vpn-radius-pe-discovery Good document, but… Narrowly focused, targeted primarily at VPLS Does not take advantage of newly defined RADIUS CoA extensions (RFC3576), instead requiring periodic polling of the RADIUS server to detect changes in provisioning Requires stateful extension to RADIUS servers, e.g., advertising PE identity via attributes in access request messages rather than relying on a centralized configuration database
333 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 61 L2VPN RADIUS - Goals for Updating Document Generalize RADIUS PE discovery to be applicable to a wider range of L2VPN models (e.g., allow VPWS and VPLS) Better align with L2VPN terminology and architecture More alignment with existing RADIUS server capabilities: Stateless operation (no “polling” by the PE, etc.) Centralized configuration Strive for “Zero-Touch” provisioning. i.e., new CEs to be deployable with little to no impact on PE configuration. Applicable to MPLS or L2TPv3
444 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 61 L2VPN Authorization Steps 1. CE/AC Authorization – Attachment Circuit to VPN ID 2. VPN Authorization – VPN ID to PE Membership 3. PW Authorization – PE Membership to PW signaling CE PE Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc.
555 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 61 L2VPN Authorization Schema Defined using “Single-Sided Signaling” nomenclature Normalized for MPLS or L2TPv3 PWs Likely no need for draft-ietf-l2vpn-l2tp-radius-vpls-00.txt 3 records in schema does not necessarily imply 3 off-box transactions AC Record SAI (AGI+SAII) Service Type (VPLS, VPWS, IPLS, etc) Circuit-specific Parameters (QoS, etc) VPN Record PE Router ID + SAII, PE Router ID + SAII Pseudowire Record PW-specific parameters (TE Tunnel mapping, DSCP Setting, etc). Router ID + SAIIAGI (VPN ID) Router ID + Interface name, SAI, or CE Identity
666 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 61 PE Router ID + SAII PW-specific parameters (Preferred-path, DSCP Setting, etc). PE Router ID + SAII PW-specific parameters (Preferred-path, DSCP Setting, etc). Collapsed Schema Parameters collapsed into single record to reduce the quantity of RADIUS transactions Particularly suited for VPWS, or VPLS with a limited number of PEs. Generic rule for PW setup: If Router ID from Auth Record is different from the local Router ID, use SAI as TAI in PW signaling (LDP or L2TPv3) Auth Record SAI (AGI+SAII) Service Type Circuit-specific Parameters (QoS, etc) PE Router ID + SAII PW-specific parameters (Preferred-path, DSCP Setting, etc). Router ID + Interface name, SAI, or CE identity
777 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 61 VPWS Example AC Record Bandwidth: 40% Cell-packing: 1 Members: VPN-ID: atm1/0 1/100 AC Record Bandwidth: 40% Cell-packing: 1 Members: VPN-ID: atm2/0 2/100 Control Plane = LDP EXP = 0x03 Control Plane = LDP EXP = 0x03
888 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 61 VPLS example AC Record AGI: foo.com VPN Record Members: , , , VPN-ID: 100 Pseudowire Record Preferred-path: tun1 Exp-setting: 0x :100 foo.com fe1/0.100 AC Record AGI: foo.com fe1/1.100 AC Record AGI: bar.com VPN Record Members: , , , VPN-ID: 200 Pseudowire Record Preferred-path: tun2 Exp-setting: 0x :200 bar.com fe2/0.100 AC Record AGI: bar.com fe2/1.100
999 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 61 RADIUS Accounting RADIUS Accounting messages may be used for logging and billing Really makes sense only at the AC and PW, accounting on VPN PE-membership is not very useful
10 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS – IETF 61 Next Steps? Comments/suggestions? Update draft-ietf-l2vpn-radius-pe-discovery with something along the lines of what is in this presentation? Let draft-ietf-l2vpn-l2tp-radius-vpls-00.txt expire?