Network Working Group                                 Y. El Mghazli, Ed.
Request for Comments: 4176                                       Alcatel
Category: Informational                                        T. Nadeau
                                                                   Cisco
                                                            M. Boucadair
                                                          France Telecom
                                                                 K. Chan
                                                                  Nortel
                                                              A. Gonguet
                                                                 Alcatel
                                                            October 2005
        
Network Working Group                                 Y. El Mghazli, Ed.
Request for Comments: 4176                                       Alcatel
Category: Informational                                        T. Nadeau
                                                                   Cisco
                                                            M. Boucadair
                                                          France Telecom
                                                                 K. Chan
                                                                  Nortel
                                                              A. Gonguet
                                                                 Alcatel
                                                            October 2005
        

Framework for Layer 3 Virtual Private Networks (L3VPN) Operations and Management

第3层虚拟专用网络(L3VPN)操作和管理框架

Status of This Memo

关于下段备忘

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

Abstract

摘要

This document provides a framework for the operation and management of Layer 3 Virtual Private Networks (L3VPNs). This framework intends to produce a coherent description of the significant technical issues that are important in the design of L3VPN management solutions. The selection of specific approaches, and making choices among information models and protocols are outside the scope of this document.

本文档为第3层虚拟专用网络(L3VPN)的运行和管理提供了一个框架。该框架旨在对L3VPN管理解决方案设计中重要的重要技术问题进行连贯的描述。具体方法的选择以及信息模型和协议的选择不在本文件的范围之内。

Table of Contents

目录

   1.  Introduction .................................................  2
       1.1.  Terminology ............................................  2
       1.2.  Management functions ...................................  4
       1.3.  Reference Models .......................................  5
   2.  Customer Service Operations and Management ...................  7
       2.1.  Customer Service Management Information Model ..........  7
       2.2.  Customer Management Functions ..........................  8
             2.2.1.  Fault Management ...............................  8
             2.2.2.  Configuration Management .......................  9
             2.2.3.  Accounting .....................................  9
             2.2.4.  Performance Management ......................... 10
             2.2.5.  Security Management ............................ 10
       2.3.  Customer Management Functional Description ............. 11
             2.3.1.  L3VPN Service Offering Management .............. 11
             2.3.2.  L3VPN Service Order Management ................. 12
             2.3.3.  L3VPN Service Assurance ........................ 12
   3.  Provider Network Manager ..................................... 12
       3.1.  Provider Network Management Definition ................. 12
       3.2.  Network Management Functions ........................... 13
             3.2.1.  Fault Management ............................... 13
             3.2.2.  Configuration Management ....................... 14
             3.2.3.  Accounting ..................................... 17
             3.2.4.  Performance Management ......................... 17
             3.2.5.  Security Management ............................ 17
   4.  L3VPN Devices ................................................ 18
       4.1.  Information Model ...................................... 18
       4.2.  Communication .......................................... 18
   5.  Security Considerations ...................................... 19
   6.  Acknowledgements ............................................. 19
   7.  Normative References ......................................... 19
        
   1.  Introduction .................................................  2
       1.1.  Terminology ............................................  2
       1.2.  Management functions ...................................  4
       1.3.  Reference Models .......................................  5
   2.  Customer Service Operations and Management ...................  7
       2.1.  Customer Service Management Information Model ..........  7
       2.2.  Customer Management Functions ..........................  8
             2.2.1.  Fault Management ...............................  8
             2.2.2.  Configuration Management .......................  9
             2.2.3.  Accounting .....................................  9
             2.2.4.  Performance Management ......................... 10
             2.2.5.  Security Management ............................ 10
       2.3.  Customer Management Functional Description ............. 11
             2.3.1.  L3VPN Service Offering Management .............. 11
             2.3.2.  L3VPN Service Order Management ................. 12
             2.3.3.  L3VPN Service Assurance ........................ 12
   3.  Provider Network Manager ..................................... 12
       3.1.  Provider Network Management Definition ................. 12
       3.2.  Network Management Functions ........................... 13
             3.2.1.  Fault Management ............................... 13
             3.2.2.  Configuration Management ....................... 14
             3.2.3.  Accounting ..................................... 17
             3.2.4.  Performance Management ......................... 17
             3.2.5.  Security Management ............................ 17
   4.  L3VPN Devices ................................................ 18
       4.1.  Information Model ...................................... 18
       4.2.  Communication .......................................... 18
   5.  Security Considerations ...................................... 19
   6.  Acknowledgements ............................................. 19
   7.  Normative References ......................................... 19
        
1. Introduction
1. 介绍
1.1. Terminology
1.1. 术语

In this document, the following terms are used and defined as follows:

在本文件中,以下术语的使用和定义如下:

VPN:

VPN:

Virtual Private Network. A set of transmission and switching resources that will be used over a shared infrastructure to process the (IP) traffic that characterizes communication services between the sites or premises interconnected via this VPN. See [RFC4026].

虚拟专用网络。一组传输和交换资源,将在共享基础设施上使用,以处理(IP)流量,该流量是通过VPN互连的站点或场所之间通信服务的特征。参见[RFC4026]。

L3VPN:

L3VPN:

An L3VPN interconnects sets of hosts and routers based on Layer 3 addresses. See [RFC4026].

L3VPN基于第3层地址互连主机和路由器。参见[RFC4026]。

VPN Instance:

VPN实例:

From a management standpoint, a VPN instance is the collection of configuration information associated with a specific VPN, residing on a PE router.

从管理的角度来看,VPN实例是与驻留在PE路由器上的特定VPN相关联的配置信息的集合。

VPN Site:

VPN站点:

A VPN customer's location that is connected to the Service Provider network via a CE-PE link, which can access at least one VPN.

VPN客户的位置,通过CE-PE链路连接到服务提供商网络,该链路可以访问至少一个VPN。

VPN Service Provider (SP):

VPN服务提供商(SP):

A Service Provider that offers VPN-related services.

提供VPN相关服务的服务提供商。

VPN Customer:

VPN客户:

Refers to a customer that bought VPNs from a VPN service provider.

指从VPN服务提供商处购买VPN的客户。

Customer Agent:

客户代理人:

Denotes the entity that is responsible for requesting VPN customer-specific information.

表示负责请求VPN客户特定信息的实体。

Service Level Agreement(SLA):

服务级别协议(SLA):

Contractual agreement between the Service Provider and Customer, which includes qualitative and quantitative metrics that define service quality guarantees and retribution procedures when service levels are not being met.

服务提供商和客户之间的合同协议,其中包括定性和定量指标,用于定义服务质量保证和服务水平未达到时的惩罚程序。

Service Level Specifications (SLS):

服务级别规范(SLS):

Internally-focused service performance specifications used by the Service Provider to manage customer service quality levels.

服务提供商用于管理客户服务质量级别的内部关注的服务绩效规范。

1.2. Management functions
1.2. 管理职能

For any type of Layer-3 VPN (PE or CE-based VPNs), having a management platform where the VPN-related information could be collected and managed is recommended. The Service and Network Management System may centralize information related to instances of a VPN and allow users to configure and provision each instance from a central location.

对于任何类型的第3层VPN(基于PE或CE的VPN),建议提供一个管理平台,以便收集和管理VPN相关信息。服务和网络管理系统可以集中与VPN实例相关的信息,并允许用户从中心位置配置和提供每个实例。

An SP must be able to manage the capabilities and characteristics of their VPN services. Customers should have means to ensure fulfillment of the VPN service to which they subscribed. To the extent possible, automated operations and interoperability with standard management protocols should be supported.

SP必须能够管理其VPN服务的功能和特征。客户应该有办法确保他们订阅的VPN服务得以实现。应尽可能支持自动化操作和与标准管理协议的互操作性。

Two main management functions are identified:

确定了两个主要管理职能:

A customer service management function:

客户服务管理功能:

This function provides the means for a customer to query, configure, and receive (events/alarms) customer-specific VPN service information. Customer-specific information includes data related to contact, billing, site, access network, IP address, routing protocol parameters, etc. It may also include confidential data, such as encryption keys. Several solutions could be used:

此功能为客户提供查询、配置和接收(事件/警报)特定于客户的VPN服务信息的方法。客户特定信息包括与联系人、账单、站点、接入网络、IP地址、路由协议参数等相关的数据。它还可能包括机密数据,如加密密钥。可以使用几种解决方案:

* Proprietary network management system

* 专有网络管理系统

* SNMP manager

* 管理站

* PDP function

* PDP功能

* Directory service, etc.

* 目录服务等。

A provider network management function:

提供商网络管理功能:

This function is responsible for planning, building, provisioning, and maintaining network resources in order to meet the VPN service-level agreements outlined in the SLA offered to the customer. This mainly consists of (1) setup and configuration of physical links, (2) provisioning of logical VPN service configurations, and (3) life-cycle management of VPN service, including the addition, modification, and deletion of VPN configurations.

该职能部门负责规划、构建、调配和维护网络资源,以满足向客户提供的SLA中概述的VPN服务级别协议。这主要包括(1)物理链路的设置和配置,(2)逻辑VPN服务配置的提供,以及(3)VPN服务的生命周期管理,包括VPN配置的添加、修改和删除。

There may be relationships between the customer service and provider network management functions, as the provider network is managed to support/realize/provide the customer service. One example use of this relationship is to provide the VPN-SLS assurance for verifying the fulfillment of the subscribed VPN agreement.

客户服务和提供商网络管理功能之间可能存在关系,因为提供商网络被管理以支持/实现/提供客户服务。此关系的一个示例用途是提供VPN-SLS保证,以验证已订阅VPN协议的履行情况。

1.3. Reference Models
1.3. 参考模型

The ITU-T Telecommunications Management Network has the following generic requirements structure:

ITU-T电信管理网络具有以下一般要求结构:

o Engineer, deploy and manage the switching, routing, and transmission resources supporting the service from a network perspective (network element management);

o 从网络角度设计、部署和管理支持服务的交换、路由和传输资源(网元管理);

o Manage the VPNs deployed over these resources (network management);

o 管理通过这些资源部署的VPN(网络管理);

o Manage the VPN service (service management);

o 管理VPN服务(服务管理);

      - - - - - - - - - - - - - - - - - - - - - - - -:- - - - - - - - -
      Service      +-------------+                   :      +----------+
      Management   |   Service   |<------------------:----->| Customer |
      Layer        |   Manager   |                   :      | Agent    |
                   +-------------+                   :      +----------+
      - - - - - - - - - - ^ - - - - - - - - - - - - -:- - - - - - - - -
      Network             |       +------------+     :
      Management          |       |  Provider  |     :
      Layer               |       |  Network   |  Customer
                          +------>|  Manager   |  Interface
                                  +------------+     :
      - - - - - - - - - - - - - - - - - ^ - - - - - -:- - - - - - - - -
      Network Element                   |            :
      Management                        |  +------+  :  +------+
      Layer                             |  |      |  :  |  CE  |
                                        +->|  PE  |  :  |device|
                                           |device|  :  |  of  |
                                           |      |--:--|VPN  A|
                                           +------+  :  +------+
      ---------------------------------------------->:<----------------
                     SP network                      :  Customer Network
        
      - - - - - - - - - - - - - - - - - - - - - - - -:- - - - - - - - -
      Service      +-------------+                   :      +----------+
      Management   |   Service   |<------------------:----->| Customer |
      Layer        |   Manager   |                   :      | Agent    |
                   +-------------+                   :      +----------+
      - - - - - - - - - - ^ - - - - - - - - - - - - -:- - - - - - - - -
      Network             |       +------------+     :
      Management          |       |  Provider  |     :
      Layer               |       |  Network   |  Customer
                          +------>|  Manager   |  Interface
                                  +------------+     :
      - - - - - - - - - - - - - - - - - ^ - - - - - -:- - - - - - - - -
      Network Element                   |            :
      Management                        |  +------+  :  +------+
      Layer                             |  |      |  :  |  CE  |
                                        +->|  PE  |  :  |device|
                                           |device|  :  |  of  |
                                           |      |--:--|VPN  A|
                                           +------+  :  +------+
      ---------------------------------------------->:<----------------
                     SP network                      :  Customer Network
        

Figure 1: Reference Model for PE-based L3VPN Management

图1:基于PE的L3VPN管理的参考模型

      - - - - - - - - - - - - - - - - - - - - - - - -:- - - - - - - - -
      Service      +-------------+                   :      +----------+
      Management   |   Service   |<------------------:----->| Customer |
      Layer        |   Manager   |                   :      | Agent    |
                   +-------------+                   :      +----------+
      - - - - - - - - - - ^ - - - - - - - - - - - - -:- - - - - - - - -
      Network             |       +------------+     :
      Management          |       |  Provider  |     :
      Layer               |       |  Network   |  Customer
                          +------>|  Manager   |  Interface
                                  +------------+     :
      - - - - - - - - - - - - - - - -^- - - -^- - - -:- - - - - - - - -
      Network Element                |       +-------:---------------+
      Management                     |     +------+  :  +------+     |
      Layer                          |     |      |  :  |  CE  |     |
                                     +---->|  PE  |  :  |device|<----+
                                           |device|  :  |  of  |
                                           |      |--:--|VPN  A|
                                           +------+  :  +------+
      ---------------------------------------------->:<----------------
                     SP network                      :  Customer Network
        
      - - - - - - - - - - - - - - - - - - - - - - - -:- - - - - - - - -
      Service      +-------------+                   :      +----------+
      Management   |   Service   |<------------------:----->| Customer |
      Layer        |   Manager   |                   :      | Agent    |
                   +-------------+                   :      +----------+
      - - - - - - - - - - ^ - - - - - - - - - - - - -:- - - - - - - - -
      Network             |       +------------+     :
      Management          |       |  Provider  |     :
      Layer               |       |  Network   |  Customer
                          +------>|  Manager   |  Interface
                                  +------------+     :
      - - - - - - - - - - - - - - - -^- - - -^- - - -:- - - - - - - - -
      Network Element                |       +-------:---------------+
      Management                     |     +------+  :  +------+     |
      Layer                          |     |      |  :  |  CE  |     |
                                     +---->|  PE  |  :  |device|<----+
                                           |device|  :  |  of  |
                                           |      |--:--|VPN  A|
                                           +------+  :  +------+
      ---------------------------------------------->:<----------------
                     SP network                      :  Customer Network
        

Figure 2: Reference Model for CE-based L3VPN Management

图2:基于CE的L3VPN管理的参考模型

Above, Figures 1 and 2 present the reference models for both PE and CE-based L3VPN management, according to the aforementioned generic structure.

上图中,图1和图2显示了根据上述通用结构的基于PE和CE的L3VPN管理的参考模型。

In both models, the service manager administrates customer-specific attributes, such as customer Identifier (ID), personal information (e.g., name, address, phone number, credit card number, etc.), subscription services and parameters, access control policy information, billing and statistical information, etc.

在这两种模式中,服务经理管理特定于客户的属性,例如客户标识符(ID)、个人信息(例如姓名、地址、电话号码、信用卡号码等)、订阅服务和参数、访问控制策略信息、计费和统计信息等。

In the PE-based reference model, the provider network manager administrates device attributes and their relationships, covering PE devices and other devices that construct the corresponding PE-based VPN.

在基于PE的参考模型中,提供商网络管理器管理设备属性及其关系,包括PE设备和构建相应基于PE的VPN的其他设备。

In the CE-based reference model, the provider network manager administrates device attributes and their relationships, covering PE and CE devices that construct the corresponding CE-based VPN.

在基于CE的参考模型中,提供商网络管理器管理设备属性及其关系,覆盖构建相应基于CE的VPN的PE和CE设备。

Network and customer service management systems that are responsible for managing VPN networks have several challenges, depending on the type of VPN network(s) they are required to manage.

根据需要管理的VPN网络类型,负责管理VPN网络的网络和客户服务管理系统面临若干挑战。

2. Customer Service Operations and Management
2. 客户服务运营和管理

Services offered by providers can be viewed from the customer's or the provider's perspective. This section describes service management from the customer's perspective, focusing on the Customer Management function.

可以从客户或提供商的角度查看提供商提供的服务。本节从客户的角度描述服务管理,重点介绍客户管理功能。

The Customer Management function's goal is to manage the service-based operations like service ordering, service subscription, activation, etc.

客户管理功能的目标是管理基于服务的操作,如服务订购、服务订阅、激活等。

The Customer Management function resides in the L3VPN service manager at the Service Management Layer (SML). It mainly consists of defining the L3VPN services offered by the SP, collecting and consolidating the customer L3VPN services requirements, as well as performing some reporting for the customer. This function is correlated with the Network Management function at the Network Management Layer (NML) for initiating the L3VPN services provisioning, and getting some service reporting.

客户管理功能位于服务管理层(SML)的L3VPN服务管理器中。它主要包括定义SP提供的L3VPN服务、收集和整合客户L3VPN服务需求,以及为客户执行一些报告。此功能与网络管理层(NML)的网络管理功能相关联,用于启动L3VPN服务供应,并获取一些服务报告。

2.1. Customer Service Management Information Model
2.1. 客户服务管理信息模型

This section presents a framework that is used for L3VPN customer service management at the SML. The information framework represents the data that need to be managed, and the way they are represented. At the SML, the information framework that is foreseen is composed of Service Level Agreements (SLA) and Service Level Specifications (SLS).

本节介绍一个用于SML的L3VPN客户服务管理的框架。信息框架表示需要管理的数据及其表示方式。在SML,可预见的信息框架由服务级别协议(SLA)和服务级别规范(SLS)组成。

Services are described through Service Level Agreements (SLA), which are contractual documents between customers and service providers. The technical part of the service description is called the Service Level Specification (SLS). The SLS groups different kinds of parameters. Some are more related to the description of the transport of the packets, and some to the specification of the service itself.

服务通过服务级别协议(SLA)进行描述,SLA是客户和服务提供商之间的合同文件。服务描述的技术部分称为服务级别规范(SLS)。SLS将不同类型的参数分组。有些与数据包传输的描述有关,有些与服务本身的规范有关。

A Service Level Specification (SLS) may be defined per access network connection, per VPN, per VPN site, and/or per VPN route. The service provider may define objectives and the measurement intervals, for at least the SLS, using the following Service Level Objective (SLO) parameters:

可以为每个接入网络连接、每个VPN、每个VPN站点和/或每个VPN路由定义服务级别规范(SLS)。服务提供商可以使用以下服务水平目标(SLO)参数,至少为SLS定义目标和测量间隔:

o QoS and traffic parameters

o QoS和流量参数

o Availability for the site, VPN, or access connection

o 站点、VPN或访问连接的可用性

o Duration of outage intervals per site, route, or VPN

o 每个站点、路由或VPN的停机间隔持续时间

o Service activation interval (e.g., time to turn up a new site)

o 服务激活间隔(例如,打开新站点的时间)

o Trouble report response time interval

o 故障报告响应时间间隔

o Time to repair interval

o 维修间隔时间

o Total incoming/outgoing traffic from a site or a (VPN) route, or that has transited through the whole VPN

o 来自站点或(VPN)路由或已通过整个VPN传输的总传入/传出流量

o Measurement of non-conforming incoming/outgoing traffic (compliance of traffic should deserve some elaboration because of many perspectives - security, QoS, routing, etc.) from a site or a (VPN) route, or that has transited through the whole VPN

o 从站点或(VPN)路由或通过整个VPN传输的非一致性传入/传出流量的测量(流量的一致性应得到一些详细说明,因为有许多方面-安全性、QoS、路由等)

The service provider and the customer may negotiate contractual penalties in the case(s) where the provider does not meet a (set of) SLS performance objective(s).

如果服务提供商未达到(一组)SLS绩效目标,服务提供商和客户可协商合同罚款。

Traffic parameters and actions should be defined for incoming and outgoing packets that go through the demarcation between the service provider premises and the customer's premises. For example, traffic policing functions may be activated at the ingress of the service provider's network, while traffic shaping capabilities could be activated at the egress of the service provider's network.

应为通过服务提供商场所和客户场所之间分界的传入和传出数据包定义流量参数和操作。例如,流量管理功能可在服务提供商的网络入口处激活,而流量整形功能可在服务提供商的网络出口处激活。

2.2. Customer Management Functions
2.2. 客户管理职能

This section presents detailed customer management functions in the traditional fault, configuration, accounting, performance, and security (FCAPS) management categories.

本节介绍了传统故障、配置、记帐、性能和安全(FCAPS)管理类别中的详细客户管理功能。

2.2.1. Fault Management
2.2.1. 故障管理

The fault management function of the Customer Service Manager relies upon the manipulation of network layer failure information, and it reports incidents to the impacted customers. Such reports should be based upon and related to the VPN service offering to which the customer is subscribed. The Customer Management function support for fault management includes:

客户服务经理的故障管理功能依赖于对网络层故障信息的操作,并向受影响的客户报告事件。此类报告应基于客户订阅的VPN服务,并与之相关。故障管理的客户管理功能支持包括:

o Indication of customer's services impacted by failure

o 故障对客户服务影响的指示

o Incident recording or logs

o 事件记录或日志

o Frequency of tests

o 测试频率

o Ability to invoke probes from the customer and provider

o 能够从客户和提供商调用探测

o Ability to uncover faults before the customer notices them

o 能够在客户发现故障之前发现故障

2.2.2. Configuration Management
2.2.2. 配置管理

The configuration management function of the Customer Manager must be able to configure L3VPN service parameters with the level of detail that the customer is able to specify, according to service templates defined by the provider.

客户经理的配置管理功能必须能够根据提供商定义的服务模板,按照客户能够指定的详细程度配置L3VPN服务参数。

A service template contains fields which, when instantiated, yield a definite service requirement or policy. For example, a template for an IPsec tunnel [RFC2401] would contain fields such as tunnel end points, authentication modes, encryption and authentication algorithms, shared keys (if any), and traffic filters.

服务模板包含的字段在实例化时会产生明确的服务需求或策略。例如,IPsec隧道[RFC2401]的模板将包含诸如隧道端点、身份验证模式、加密和身份验证算法、共享密钥(如果有)和流量过滤器等字段。

Other examples: a BGP/MPLS-based VPN service template would contain fields such as the customer premises that need to be interconnected via the VPN, and a QoS agreement template would contain fields such as one-way transit delay, inter-packet delay variation, throughput, and packet loss thresholds.

其他示例:基于BGP/MPLS的VPN服务模板将包含需要通过VPN互连的客户场所等字段,而QoS协议模板将包含单向传输延迟、包间延迟变化、吞吐量和包丢失阈值等字段。

2.2.3. Accounting
2.2.3. 会计

The accounting management function of the Customer Manager is provided with network layer measurements information and manages this information. The Customer Manager is responsible for the following accounting functions:

客户经理的会计管理功能提供网络层测量信息,并管理该信息。客户经理负责以下会计职能:

o Retrieval of accounting information from the Provider Network Manager

o 从提供商网络管理器检索会计信息

o Analysis, storage, and administration of measurements

o 测量的分析、存储和管理

Some providers may require near-real time reporting of measurement information, and may offer this as part of a customer network management service.

一些提供商可能需要测量信息的近实时报告,并可能将其作为客户网络管理服务的一部分提供。

If an SP supports "Dynamic Bandwidth Management" service, then the schedule and the amount of the bandwidth required to perform requested bandwidth allocation change(s) must be traceable for monitoring and accounting purposes.

如果SP支持“动态带宽管理”服务,则执行请求的带宽分配更改所需的计划和带宽量必须可跟踪,以便进行监视和记帐。

Solutions should state compliance with accounting requirements, as described in section 1.7 of [RFC2975].

解决方案应说明符合[RFC2975]第1.7节所述的会计要求。

2.2.4. Performance Management
2.2.4. 绩效管理

From the Customer Manager's perspective, performance management includes functions involved in the determination of the conformance level with the Service Level Specifications, such as QoS and availability measurements. The objective is to correlate accounting information with performance and fault management information to produce billing that takes into account SLA provisions for periods of time where the service level objectives are not met.

从客户经理的角度来看,性能管理包括确定与服务级别规范的一致性级别所涉及的功能,如QoS和可用性度量。其目标是将会计信息与性能和故障管理信息关联起来,以产生考虑到服务级别目标未达到期间SLA规定的计费。

The performance information should reflect the quality of the subscribed VPN service as perceived by the customer. This information could be measured by the provider or controlled by a third party. The parameters that will be used to reflect the performance level could be negotiated and agreed upon between the service provider and the customer during the VPN service negotiation phase.

性能信息应反映客户感知到的已订阅VPN服务的质量。该信息可由供应商测量或由第三方控制。将用于反映性能级别的参数可以在VPN服务协商阶段由服务提供商和客户协商并商定。

Performance management should also support analysis of important aspects of an L3VPN, such as bandwidth utilization, response time, availability, QoS statistics, and trends based on collected data.

性能管理还应支持对L3VPN的重要方面的分析,例如带宽利用率、响应时间、可用性、QoS统计数据以及基于收集的数据的趋势。

2.2.5. Security Management
2.2.5. 安全管理

From the Customer Manager's perspective, the security management function includes management features to guarantee the security of the VPN. This includes security of devices, configuration data, and access connections. Authentication and authorization (access control) also fall into this category.

从客户经理的角度来看,安全管理功能包括确保VPN安全的管理功能。这包括设备、配置数据和访问连接的安全性。身份验证和授权(访问控制)也属于这一类。

2.2.5.1. Access Control
2.2.5.1. 访问控制

Management access control determines the privileges that a user has for particular applications and parts of the network. Without such control, only the security of the data and control traffic is protected (leaving the devices providing the L3VPN network unprotected) among other equipment or resources. Access control capabilities protect these devices to ensure that users have access to only those resources and applications they are granted to use.

管理访问控制确定用户对特定应用程序和网络部分的权限。没有这种控制,只有数据和控制流量的安全性在其他设备或资源中得到保护(使提供L3VPN网络的设备不受保护)。访问控制功能保护这些设备,以确保用户只能访问他们被授权使用的资源和应用程序。

2.2.5.2. Authentication
2.2.5.2. 认证

Authentication is the process of verifying the identity of a VPN user.

身份验证是验证VPN用户身份的过程。

2.3. Customer Management Functional Description
2.3. 客户管理功能描述

This section provides a high-level example of an architecture for the L3VPN management framework, with regard to the SML layer. The goal is to map the customer management functions described in Section 2.2 to architectural yet functional blocks, and to describe the communication with the other L3VPN management functions.

本节提供了有关SML层的L3VPN管理框架体系结构的高级示例。目标是将第2.2节中描述的客户管理功能映射到架构功能块,并描述与其他L3VPN管理功能的通信。

       + - - - - - - - - - - - - - - - - - - - - - - - - -  +
       | Service    +----------------+   +----------------+ |
       | Management |   VPN  Offering|   | VPN Order      | |
       |            |   Management   |   |    Management  | |
       |            +----------------+   +----------------+ |
       |            +----------------+   +----------------+ |
       |            |   VPN          |   | VPN-based      | |
       |            |   Assurance    |   | SLS Management | |
       |            +----------------+   +----------------+ |
       + - - - - - - - - - - - - - - - - - - - - - - - - -  +
        
       + - - - - - - - - - - - - - - - - - - - - - - - - -  +
       | Service    +----------------+   +----------------+ |
       | Management |   VPN  Offering|   | VPN Order      | |
       |            |   Management   |   |    Management  | |
       |            +----------------+   +----------------+ |
       |            +----------------+   +----------------+ |
       |            |   VPN          |   | VPN-based      | |
       |            |   Assurance    |   | SLS Management | |
       |            +----------------+   +----------------+ |
       + - - - - - - - - - - - - - - - - - - - - - - - - -  +
        

Figure 3: Overview of the Service Management

图3:服务管理概述

A customer must have a means to view the topology, operational state, order status, and other parameters associated with the VPN service offering that has been subscribed.

客户必须能够查看与已订阅的VPN服务产品相关的拓扑、操作状态、订单状态和其他参数。

All aspects of management information about CE devices and customer attributes of an L3VPN, manageable by a SP, should be capable of being configured and maintained by an authenticated, authorized Service manager.

SP可管理的有关CE设备和L3VPN客户属性的管理信息的所有方面都应能够由经过身份验证的授权服务经理进行配置和维护。

A customer agent should be able to make dynamic requests for changing the parameters that describe a service. A customer should be able to receive responses from the SP network in response to these requests (modulo the existence of necessary agreements). Communication between customer Agents and (VPN) service providers will rely upon a query/response mechanism.

客户代理应该能够动态请求更改描述服务的参数。客户应该能够收到SP网络对这些请求的响应(以存在必要协议为模式)。客户代理和(VPN)服务提供商之间的通信将依赖于查询/响应机制。

A customer who may not be able to afford the resources to manage its CPEs should be able to outsource the management of the VPN to the service provider(s) supporting the network.

可能无法负担资源来管理其CPE的客户应能够将VPN的管理外包给支持网络的服务提供商。

2.3.1. L3VPN Service Offering Management
2.3.1. L3VPN服务提供管理

Hopefully, the deployment of a VPN addresses customers' requirements. Thus, the provider must have the means to advertise the VPN-based services it offers. Then, the potential customers could select the service to which they want to subscribe. Additional features could be associated to this subscription phase, such as the selection of a

希望VPN的部署能够满足客户的需求。因此,提供商必须具备宣传其提供的基于VPN的服务的手段。然后,潜在客户可以选择他们想要订阅的服务。其他功能可能与此订阅阶段相关联,例如选择

level of quality associated to the delivery of the VPN service, the level of management of the VPN service performed by the SP, security options, etc.

与VPN服务交付相关的质量级别、SP执行的VPN服务管理级别、安全选项等。

2.3.2. L3VPN Service Order Management
2.3.2. L3VPN服务订单管理

This operation aims at managing the requests initiated by the customers and tracks the status of the achievement of the related operations. The activation of the orders is conditioned by the availability of the resources that meet the customer's requirements with the agreed guarantees (note that it could be a result of a negotiation phase between the customer and the provider).

此操作旨在管理客户发起的请求,并跟踪相关操作的完成状态。订单的激活取决于满足客户要求的资源的可用性以及约定的保证(请注意,这可能是客户和供应商之间谈判阶段的结果)。

2.3.3. L3VPN Service Assurance
2.3.3. L3VPN服务保证

The customer may require the means to evaluate the fulfillment of the contracted SLA with the provider. Thus, the provider should monitor, measure, and provide statistical information to the customer, assuming an agreement between both parties on the measurement methodology, as well as the specification of the corresponding (set of) quality of service indicators.

客户可能需要评估与供应商签订的SLA履行情况的方法。因此,供应商应监控、测量并向客户提供统计信息,前提是双方就测量方法以及相应(一组)服务质量指标的规范达成一致。

3. Provider Network Manager
3. 提供商网络管理器
3.1. Provider Network Management Definition
3.1. 提供商网络管理定义

When implementing a VPN architecture within a domain (or a set of domains managed by a single SP), the SP must have a means to view the physical and logical topology of the VPN premises, the VPN operational status, the VPN service ordering status, the VPN service handling, the VPN service activation status, and other aspects associated with each customer's VPN.

在域(或由单个SP管理的一组域)内实施VPN体系结构时,SP必须能够查看VPN场所的物理和逻辑拓扑、VPN操作状态、VPN服务订购状态、VPN服务处理、VPN服务激活状态,以及与每个客户的VPN相关的其他方面。

From a provider's perspective, the management of a VPN service consists mainly of:

从提供商的角度来看,VPN服务的管理主要包括:

o Managing the customers (the term "customer" denotes a role rather than the end user, thus an SP could be a customer) and end-users in terms of SLA

o 根据SLA管理客户(术语“客户”表示角色而非最终用户,因此SP可以是客户)和最终用户

o Managing the VPN premises (especially creating, modifying, and deleting operations, editing the related information to a specific link, or supervising the AAA [RFC2903] [RFC2906] operations)

o 管理VPN场所(特别是创建、修改和删除操作,编辑特定链接的相关信息,或监督AAA[RFC2903][RFC2906]操作)

o Managing the CE-PE links (particularly creating, modifying, and deleting links, editing the related information to a specific VPN)

o 管理CE-PE链接(特别是创建、修改和删除链接,编辑特定VPN的相关信息)

o Managing the service ordering, such as Quality of Service, in terms of supported classes of service, traffic isolation, etc.

o 根据支持的服务类别、流量隔离等管理服务顺序,例如服务质量。

Currently, proprietary methods are often used to manage VPNs. The additional expense associated with operators having to use multiple, proprietary, configuration-related management methods (e.g., Command Line Interface (CLI) languages) to access such systems is not recommended, because it affects the overall cost of the service (including the exploitation costs), especially when multiple vendor technologies (hence multiple expertise) are used to support the VPN service offering. Therefore, devices should provide standards-based interfaces. From this perspective, additional requirements on possible interoperability issues and availability of such standardized management interfaces need to be investigated.

目前,专有方法通常用于管理VPN。不建议运营商使用多种专有的配置相关管理方法(如命令行界面(CLI)语言)访问此类系统,因为这会影响服务的总体成本(包括开发成本),尤其是在使用多种供应商技术时(因此有多种专业知识)用于支持VPN服务。因此,设备应提供基于标准的接口。从这个角度来看,需要调查关于可能的互操作性问题和此类标准化管理接口可用性的额外要求。

3.2. Network Management Functions
3.2. 网络管理功能

In addition, there can be internal service provided by the SP for satisfying the customer service requirements. Some of these may include the notion of dynamic deployment of resources for supporting the customer-visible services, high availability service for the customer that may be supported by automatic failure detection, and automatic switchover to back-up VPNs. These are accomplished by inter-working with the FCAPS capabilities of the Provider Network Manager.

此外,SP还可以提供内部服务,以满足客户服务要求。其中一些可能包括动态部署资源以支持客户可视服务的概念、可通过自动故障检测为客户提供的高可用性服务,以及自动切换到备份VPN的概念。这些都是通过与提供商网络管理器的FCAPS功能交互工作来实现的。

3.2.1. Fault Management
3.2.1. 故障管理

The Provider Network Manager support for fault management includes:

提供商网络管理器对故障管理的支持包括:

o Fault detection (incidents reports, alarms, failure visualization)

o 故障检测(事件报告、警报、故障可视化)

o Fault localization (analysis of alarms reports, diagnostics)

o 故障定位(报警报告分析、诊断)

o Corrective actions (data path, routing, resource allocation)

o 纠正措施(数据路径、路由、资源分配)

Since L3VPNs rely upon a common network infrastructure, the Provider Network Manager provides a means to inform the Service Manager about the VPN customers impacted by a failure in the infrastructure. The Provider Network Manager should provide pointers to the related customer configuration information to contribute to the procedures of fault isolation and the determination of corrective actions.

由于L3VPN依赖于公共网络基础设施,因此提供商网络管理器提供了一种方法,向服务管理器通知受基础设施故障影响的VPN客户。提供商网络经理应提供指向相关客户配置信息的指针,以帮助执行故障隔离程序和确定纠正措施。

It is desirable to detect faults caused by configuration errors, because these may cause VPN service to fail, or not meet other requirements (e.g., traffic and routing isolation). One approach

需要检测由配置错误引起的故障,因为这些错误可能导致VPN服务失败,或不满足其他要求(例如,流量和路由隔离)。一种方法

could be a protocol that systematically checks that all constraints have been taken into account, and that consistency checks have been enforced during the tunnel configuration process.

可以是一个协议,该协议系统地检查所有约束是否已被考虑,以及一致性检查是否已在隧道配置过程中强制执行。

A capability that aims at checking IP reachability within a VPN must be provided for diagnostic purposes.

为了进行诊断,必须提供旨在检查VPN内IP可达性的功能。

A capability that aims at checking the configuration of a VPN device must be provided for diagnostic purposes.

为了进行诊断,必须提供旨在检查VPN设备配置的功能。

3.2.2. Configuration Management
3.2.2. 配置管理

The Provider Network Manager must support configuration management capabilities in order to deploy VPNs. To do so, a Provider Network Manager must provide configuration management that provisions at least the following L3VPN components: PE, CE, hierarchical tunnels, access connections, routing, and QoS, as detailed in this section. If access to the Internet is provided, then this option must also be configurable.

提供商网络管理器必须支持配置管理功能才能部署VPN。为此,提供商网络管理器必须提供至少提供以下L3VPN组件的配置管理:PE、CE、分层隧道、访问连接、路由和QoS,详见本节。如果提供了对Internet的访问,则此选项也必须是可配置的。

Provisioning for adding or removing VPN customer premises should be as automated as possible.

添加或删除VPN客户场所的配置应尽可能自动化。

Finally, the Provider Network Manager must ensure that these devices and protocols are provisioned consistently and correctly. The solution should provide a means for checking whether a service order is correctly provisioned. This would represent one method of diagnosing configuration errors. Configuration errors can arise due to a variety of reasons: manual configuration, intruder attacks, and conflicting service requirements.

最后,提供商网络管理器必须确保这些设备和协议的供应一致且正确。该解决方案应提供一种检查服务订单是否正确供应的方法。这将代表一种诊断配置错误的方法。配置错误可能由多种原因引起:手动配置、入侵者攻击和服务需求冲突。

Requirements for L3VPN configuration management are:

L3VPN配置管理的要求如下:

o The Provider Network Manager must support configuration of VPN membership.

o 提供商网络管理器必须支持VPN成员身份的配置。

o The Provider Network Manager should use identifiers for SPs, L3VPNs, PEs, CEs, hierarchical tunnels, and access connections.

o 提供商网络管理器应使用SP、L3VPN、PE、CE、分层隧道和访问连接的标识符。

o Tunnels must be configured between PE/CE devices. This requires coordination of tunnel identifiers, paths, VPNs, and any associated service information, for example, a QoS service.

o 必须在PE/CE设备之间配置通道。这需要协调隧道标识符、路径、VPN和任何相关服务信息,例如QoS服务。

o Routing protocols running between PE routers and CE devices must be configured. For multicast services, multicast routing protocols must also be configurable.

o 必须配置在PE路由器和CE设备之间运行的路由协议。对于多播服务,多播路由协议也必须是可配置的。

o Routing protocols running between PE routers, and between PE and P routers, must also be configured.

o 还必须配置PE路由器之间以及PE和P路由器之间运行的路由协议。

PE-based only:

仅基于PE:

o Routing protocols running between PE routers and CE devices, if any, must be configured on a per-VPN basis. The Provider Network Manager must support configuration of a CE routing protocol for each access connection.

o 在PE路由器和CE设备之间运行的路由协议(如果有)必须基于每个VPN进行配置。提供商网络管理器必须支持为每个访问连接配置CE路由协议。

o The configuration of a PE-based L3VPN should be coordinated with the configuration of the underlying infrastructure, including Layer 1 and 2 networks that interconnect components of an L3VPN.

o 基于PE的L3VPN的配置应与底层基础设施的配置相协调,包括连接L3VPN组件的第1层和第2层网络。

3.2.2.1. Provisioning Routing-based Configuration Information
3.2.2.1. 配置基于路由的配置信息

If there is an IGP running within the L3VPN, the Provider Network Manager must provision the related parameters. This includes metrics, capacity, QoS capability, and restoration parameters.

如果L3VPN中运行IGP,则提供商网络管理器必须提供相关参数。这包括指标、容量、QoS能力和恢复参数。

3.2.2.2. Provisioning Access-based Configuration Information
3.2.2.2. 设置基于访问的配置信息

The Provider Network Manager must provision network access between SP-managed PE and CE equipment.

提供商网络管理器必须提供SP管理的PE和CE设备之间的网络访问。

3.2.2.3. Provisioning Security Services-based Configuration Information
3.2.2.3. 提供基于配置信息的安全服务

When a security service is requested, the Provider Network Manager must provision the entities and associated parameters involved in the provisioning of the service. For example, IPsec services, tunnels, options, keys, and other parameters should be provisioned at either the CE and/or the PE routers. In the case of an intrusion detection service, the filtering and detection rules should be provisioned on a VPN basis.

当请求安全服务时,提供商网络管理器必须提供服务提供中涉及的实体和相关参数。例如,应在CE和/或PE路由器上设置IPsec服务、隧道、选项、密钥和其他参数。对于入侵检测服务,应在VPN基础上提供过滤和检测规则。

3.2.2.4. Provisioning VPN Resource Parameters
3.2.2.4. 设置VPN资源参数

A service provider should have a means to dynamically provision resources associated with VPN services. For example, in a PE-based service, the number and size of virtual switching and forwarding table instances should be provisioned.

服务提供商应该能够动态地提供与VPN服务相关的资源。例如,在基于PE的服务中,应提供虚拟交换和转发表实例的数量和大小。

If an SP supports a "Dynamic Bandwidth Management" service, then the dates, times, amounts, and intervals required to perform requested bandwidth allocation change(s) may be traceable for accounting purposes.

如果SP支持“动态带宽管理”服务,则执行请求的带宽分配更改所需的日期、时间、金额和时间间隔可能出于记帐目的而可跟踪。

If an SP supports a "Dynamic Bandwidth Management" service, then the provisioning system must be able to make requested changes within the ranges and bounds specified in the Service Level Specifications. Examples of QoS parameters are the response time and the probability of being able to service such a request.

如果SP支持“动态带宽管理”服务,则调配系统必须能够在服务级别规范中指定的范围和界限内进行请求的更改。QoS参数的示例是响应时间和能够为此类请求提供服务的概率。

Dynamic VPN resource allocation is crucial to cope with the frequent requests for changes that are expressed by customers (e.g., sites joining or leaving a VPN), as well as to achieve scalability. The PE routers should be able to dynamically assign the VPN resources. This capability is especially important for dial-up and wireless VPN services.

动态VPN资源分配对于处理客户频繁提出的更改请求(例如加入或离开VPN的站点)以及实现可扩展性至关重要。PE路由器应该能够动态分配VPN资源。此功能对于拨号和无线VPN服务尤为重要。

3.2.2.5. Provisioning Value-Added Service Access
3.2.2.5. 提供增值服务访问

An L3VPN service provides controlled access between a set of sites over a common backbone. However, many service providers also offer a range of value-added services, for example: Internet access, firewall services, intrusion detection, IP telephony and IP Centrex, application hosting, backup, etc. It is outside the scope of this document to define if and how these different services interact with the VPN service offering. However, the VPN service should be able to provide access to these various types of value-added services.

L3VPN服务通过公共主干网在一组站点之间提供受控访问。但是,许多服务提供商还提供一系列增值服务,例如:互联网接入、防火墙服务、入侵检测、IP电话和IP Centrex、应用程序托管、备份等。定义这些不同服务是否以及如何与VPN服务交互不在本文档的范围之内。但是,VPN服务应该能够提供对这些不同类型增值服务的访问。

A VPN service should allow the SP to supply the customer with different kinds of well-known IP services (e.g., DNS, NTP, RADIUS, etc.) needed for ordinary network operation and management. The provider should be able to provide IP services to multiple customers from one or many servers.

VPN服务应允许SP向客户提供普通网络运营和管理所需的各种知名IP服务(如DNS、NTP、RADIUS等)。提供商应该能够从一个或多个服务器向多个客户提供IP服务。

A firewall function may be required to restrict access to the L3VPN from the Internet [Y.1311].

可能需要防火墙功能来限制从Internet访问L3VPN[Y.1311]。

Managed firewalls may be supported on a per-VPN basis, although multiple VPNs will be supported by the same physical device. In such cases, managed firewalls should be provided at the access point(s) of the L3VPN. Such services may be embedded in the CE or PE devices, or implemented in stand-alone devices.

尽管同一物理设备将支持多个VPN,但每个VPN可能支持托管防火墙。在这种情况下,应在L3VPN的接入点提供托管防火墙。此类服务可嵌入CE或PE设备中,或在独立设备中实现。

The Provider Network Manager should allow a customer to outsource the management of an IP service to the SP providing the VPN or to a third party.

提供商网络经理应允许客户将IP服务的管理外包给提供VPN的SP或第三方。

The management system should support the collection of information necessary for optimal allocation of IP services in response to customers' orders, in correlation with provider-provisioned resources supporting the service.

管理系统应支持收集必要的信息,以便根据客户的订单,与供应商提供的支持服务的资源相关联,优化IP服务的分配。

If Internet access is provided, reachability to and from the Internet from/to sites within a VPN should be configurable by an SP. Configuring routing policy to control distribution of VPN routes advertised to the Internet may realize this.

如果提供了Internet访问,则SP应可配置从Internet到VPN内站点的可达性。配置路由策略以控制向Internet公布的VPN路由的分布可以实现这一点。

3.2.2.6. Provisioning Hybrid VPN Services
3.2.2.6. 提供混合VPN服务

Configuration of interworking L3VPN solutions should also be supported, taking security and end-to-end QoS issues into account.

考虑到安全性和端到端QoS问题,还应支持互通L3VPN解决方案的配置。

3.2.3. Accounting
3.2.3. 会计

The Provider Network Manager is responsible for the measurements of resource utilization.

提供商网络管理器负责测量资源利用率。

3.2.4. Performance Management
3.2.4. 绩效管理

From the Provider Network Manager's perspective, performance management includes functions involved in monitoring and collecting performance data regarding devices, facilities, and services.

从提供商网络管理器的角度来看,性能管理包括监控和收集有关设备、设施和服务的性能数据的功能。

The Provider Network Manager must monitor the devices' behavior to evaluate performance metrics associated with an SLS. Different measurement techniques may be necessary, depending on the service for which an SLA is provided. Example services are QoS, security, multicast, and temporary access. These techniques may be either intrusive or non-intrusive, depending on the parameters being monitored.

提供商网络管理器必须监控设备的行为,以评估与SLS相关的性能指标。根据为其提供SLA的服务,可能需要不同的测量技术。示例服务包括QoS、安全性、多播和临时访问。这些技术可以是侵入式的,也可以是非侵入式的,具体取决于所监测的参数。

The Provider Network Manager must also monitor aspects of the VPN that are not directly associated with an SLS, such as resource utilization, status of devices and transmission facilities, as well as control of monitoring resources, such as probes and remote agents at network access points used by customers and mobile users.

提供商网络管理器还必须监控与SLS不直接相关的VPN方面,如资源利用率、设备和传输设施的状态,以及监控资源的控制,如客户和移动用户使用的网络接入点处的探测器和远程代理。

Devices supporting L3VPN whose level of quality is defined by SLSes should have real-time performance measurements that have indicators and threshold crossing alerts. Such thresholds should be configurable.

支持L3VPN的设备(其质量级别由SLSE定义)应具有实时性能测量,该测量具有指示器和阈值交叉警报。这些阈值应该是可配置的。

3.2.5. Security Management
3.2.5. 安全管理

From the Provider Network Manager's perspective, the security management function of the Provider Network Manager must include management features to guarantee the preservation of the confidentiality of customers' traffic and control data, as described in [RFC3809].

从提供商网络管理器的角度来看,提供商网络管理器的安全管理功能必须包括管理功能,以保证客户流量和控制数据的保密性,如[RFC3809]所述。

3.2.5.1. Authentication Management
3.2.5.1. 认证管理

The Provider Network Manager must support standard methods for authenticating users attempting to access VPN services.

提供商网络管理器必须支持用于验证试图访问VPN服务的用户的标准方法。

Scalability is critical, as the number of nomadic/mobile clients is increasing rapidly. The authentication scheme implemented for such deployments must be manageable for large numbers of users and VPN access points.

可扩展性至关重要,因为游牧/移动客户端的数量正在迅速增加。为此类部署实施的身份验证方案必须对大量用户和VPN接入点进行管理。

Support for strong authentication schemes needs to be supported to ensure the security of both VPN access point-to-VPN access point (PE to PE) and client-to-VPN Access point (CE-to-PE) communications. This is particularly important to prevent VPN access point (VPN AP) spoofing. VPN Access Point Spoofing is the situation where an attacker tries to convince a PE or a CE that the attacker is the VPN Access Point. If an attacker succeeds, then the device will send VPN traffic to the attacker (who could forward it on to the actual (and granted) access point after compromising confidentiality and/or integrity).

需要支持强身份验证方案,以确保VPN接入点到VPN接入点(PE到PE)和客户端到VPN接入点(CE到PE)通信的安全性。这对于防止VPN接入点(VPN AP)欺骗尤为重要。VPN接入点欺骗是指攻击者试图使PE或CE相信攻击者就是VPN接入点的情况。如果攻击者成功,则设备将向攻击者发送VPN流量(攻击者可在泄露机密性和/或完整性后将其转发到实际(并授予)访问点)。

In other words, a non-authenticated VPN AP can be spoofed with a man-in-the-middle attack, because the endpoints rarely verify each other. A weakly authenticated VPN AP may be subject to such an attack. However, strongly authenticated VPN APs are not subject to such attacks, because the man-in-the-middle cannot authenticate as the real AP, due to the strong authentication algorithms.

换句话说,未经身份验证的VPN AP可能会受到中间人攻击的欺骗,因为端点很少相互验证。弱身份验证的VPN AP可能会受到此类攻击。然而,强身份验证的VPN AP不会受到此类攻击,因为由于强身份验证算法,中间的人无法作为真实的AP进行身份验证。

4. L3VPN Devices
4. L3VPN设备
4.1. Information Model
4.1. 信息模型

Each L3VPN solution must specify the management information (MIBs, PIBs, XML schemas, etc.) for network elements involved in L3VPN services. This is an essential requirement in network provisioning. The approach should identify any L3VPN-specific information not contained in a standards track MIB module.

每个L3VPN解决方案必须为L3VPN服务中涉及的网络元素指定管理信息(MIB、PIB、XML模式等)。这是网络资源调配的基本要求。该方法应识别标准跟踪MIB模块中未包含的任何L3VPN特定信息。

4.2. Communication
4.2. 表达

The deployment of a VPN may span a wide range of network equipment, potentially including equipment from multiple vendors. Therefore, the provisioning of a unified network management view of the VPN shall be simplified by means of standard management interfaces and models. This will also facilitate customer self-managed (monitored) network devices or systems.

VPN的部署可能跨越广泛的网络设备,可能包括来自多个供应商的设备。因此,应通过标准管理接口和模型简化VPN统一网络管理视图的设置。这也将有助于客户自行管理(监控)网络设备或系统。

In cases where significant configuration is required whenever a new service is to be provisioned, it is important, for scalability reasons, that the NMS provides a largely automated mechanism for the relevant configuration operations. Manual configuration of VPN services (i.e., new sites, or re-provisioning existing ones) could lead to scalability issues, and should be avoided. It is thus important for network operators to maintain visibility of the complete picture of the VPN through the NMS system. This should be achieved by using standards track protocols such as SNMP. Use of proprietary command-line interfaces is not recommended.

如果在提供新服务时需要进行重要配置,出于可伸缩性的原因,NMS为相关配置操作提供一个基本自动化的机制是很重要的。手动配置VPN服务(即新站点或重新配置现有站点)可能会导致可伸缩性问题,应避免。因此,对于网络运营商来说,通过NMS系统保持VPN全貌的可见性非常重要。这应该通过使用标准跟踪协议(如SNMP)来实现。不建议使用专有的命令行界面。

5. Security Considerations
5. 安全考虑

This document describes a framework for L3VPN Operations and Management. Although this document discusses and addresses some security concerns in Section 2.2.5 and Section 3.2.5 above, it does not introduce any new security concerns.

本文档描述了L3VPN操作和管理的框架。尽管本文件讨论并解决了上述第2.2.5节和第3.2.5节中的一些安全问题,但并未引入任何新的安全问题。

6. Acknowledgements
6. 致谢

Special Thanks to Nathalie Charton, Alban Couturier, Christian Jacquenet, and Harmen Van Der Linde for their review of the document and their valuable suggestions.

特别感谢Nathalie Charton、Alban Couturier、Christian Jacquenet和Harmen Van Der Linde对该文件的审查和提出的宝贵建议。

7. Normative References
7. 规范性引用文件

[RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to Accounting Management", RFC 2975, October 2000.

[RFC2975]Aboba,B.,Arkko,J.,和D.Harrington,“会计管理导论”,RFC 29752000年10月。

[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.

[RFC2401]Kent,S.和R.Atkinson,“互联网协议的安全架构”,RFC 2401,1998年11月。

[RFC2903] de Laat, C., Gross, G., Gommans, L., Vollbrecht, J., and D. Spence, "Generic AAA Architecture", RFC 2903, August 2000.

[RFC2903]de Laat,C.,Gross,G.,Gommans,L.,Vollbrecht,J.,和D.Spence,“通用AAA架构”,RFC 2903,2000年8月。

[RFC2906] Farrell, S., Vollbrecht, J., Calhoun, P., Gommans, L., Gross, G., de Bruijn, B., de Laat, C., Holdrege, M., and D. Spence, "AAA Authorization Requirements", RFC 2906, August 2000.

[RFC2906]Farrell,S.,Vollbrecht,J.,Calhoun,P.,Gommans,L.,Gross,G.,de Bruijn,B.,de Laat,C.,Holdrege,M.,和D.Spence,“AAA授权要求”,RFC 2906,2000年8月。

[RFC3809] Nagarajan, A., "Generic Requirements for Provider Provisioned Virtual Private Networks (PPVPN)", RFC 3809, June 2004.

[RFC3809]Nagarajan,A.,“提供商提供的虚拟专用网络(PPVPN)的一般要求”,RFC 3809,2004年6月。

[RFC4026] Andersson, L. and T. Madsen, "Provider Provisioned Virtual Private Network (VPN) Terminology", RFC 4026, March 2005.

[RFC4026]Andersson,L.和T.Madsen,“提供商提供的虚拟专用网络(VPN)术语”,RFC 4026,2005年3月。

[Y.1311] ITU, "Network-based IP VPN over MPLS architecture", ITU-T Y.1311.1, 2001.

[Y.1311]ITU,“基于MPLS架构的基于网络的IP VPN”,ITU-T Y.1311.11901。

Authors' Addresses

作者地址

Yacine El Mghazli (Editor) Alcatel Route de Nozay Marcoussis 91460 France

Yacine El-Mghazli(编辑)阿尔卡特诺扎伊-马库锡路线91460法国

   EMail: yacine.el_mghazli@alcatel.fr
        
   EMail: yacine.el_mghazli@alcatel.fr
        

Thomas D. Nadeau Cisco Systems, Inc. 300 Beaver Brook Road Boxborough, MA 01719

Thomas D.Nadeau Cisco Systems,Inc.马萨诸塞州Boxborough市比弗布鲁克路300号,邮编01719

   Phone: +1-978-936-1470
   EMail: tnadeau@cisco.com
        
   Phone: +1-978-936-1470
   EMail: tnadeau@cisco.com
        

Mohamed Boucadair France Telecom 42, rue des Coutures Caen 14066 France

Mohamed Boucadair法国电信公司,地址:法国卡昂街42号,邮编:14066

   EMail: mohamed.boucadair@francetelecom.com
        
   EMail: mohamed.boucadair@francetelecom.com
        

Kwok Ho Chan Nortel Networks 600 Technology Park Drive Billerica, MA 01821 USA

郭浩灿北电网络美国马萨诸塞州比利里卡科技园路600号01821

   EMail: khchan@nortel.com
        
   EMail: khchan@nortel.com
        

Arnaud Gonguet Alcatel Route de Nozay Marcoussis 91460 France

阿尔卡特诺扎伊-马库锡路线阿尔卡特阿尔卡特91460法国

   EMail: arnaud.gonguet@alcatel.fr
        
   EMail: arnaud.gonguet@alcatel.fr
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。