Network Working Group B. Fox Request for Comments: 2685 Lucent Technologies Category: Standards Track B. Gleeson Nortel Networks September 1999
Network Working Group B. Fox Request for Comments: 2685 Lucent Technologies Category: Standards Track B. Gleeson Nortel Networks September 1999
Virtual Private Networks Identifier
虚拟专用网络标识符
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
Abstract
摘要
Virtual Private IP networks may span multiple Autonomous Systems or Service Providers. There is a requirement for the use of a globally unique VPN identifier in order to be able to refer to a particular VPN (see section 6.1.1 of [1]). This document proposes a format for a globally unique VPN identifier.
虚拟专用IP网络可以跨越多个自治系统或服务提供商。需要使用全局唯一的VPN标识符才能引用特定的VPN(见[1]第6.1.1节)。本文档提出了一种全局唯一VPN标识符的格式。
As the Public Internet expands and extends its infrastructure globally, the determination to exploit this infrastructure has led to widespread interest in IP based Virtual Private Networks. A VPN emulates a private IP network over public or shared infrastructures. Virtual Private Networks provide advantages to both the Service Provider and its customers. For its customers, a VPN can extend the IP capabilities of a corporate site to remote offices and/or users with intranet, extranet, and dialup services. This connectivity should be achieved at a lower cost to the customer with savings in capital equipment, operations, and services. The Service Provider is able to make better use of its infrastructure and network administration expertise offering IP VPN connectivity and/or services to its customers.
随着公共互联网在全球范围内扩展和扩展其基础设施,利用这一基础设施的决心引起了人们对基于IP的虚拟专用网络的广泛兴趣。VPN通过公共或共享基础设施模拟专用IP网络。虚拟专用网络为服务提供商及其客户提供了优势。对于客户而言,VPN可以将公司站点的IP功能扩展到远程办公室和/或使用intranet、extranet和拨号服务的用户。这种连接应以较低的客户成本实现,并节省资本设备、运营和服务。服务提供商能够更好地利用其基础设施和网络管理专业知识,为其客户提供IP VPN连接和/或服务。
There are many ways in which IP VPN services may be implemented. The IP based VPN framework document [1] identifies four types of VPN to be supported: Virtual Leased Lines, Virtual Private Routed Networks,
有许多方法可以实现IP VPN服务。基于IP的VPN框架文件[1]确定了需要支持的四种VPN类型:虚拟租用线路、虚拟专用路由网络、,
Virtual Private Dial Networks, and Virtual Private LAN Segments. In addition, numerous drafts and white papers outline methods to be used by Service Providers and/or Service Provider customers to enable this service. Solutions may be customer based or network based. Network based solutions may provide connectivity and services at layer 2 and/or layer 3. The devices involved in enabling the solution may be Customer Premises Equipment (CPE), Service Provider Edge equipment, Service Provider Core equipment, or some combination of these.
虚拟专用拨号网络和虚拟专用LAN网段。此外,许多草稿和白皮书概述了服务提供商和/或服务提供商客户为实现此服务而使用的方法。解决方案可以是基于客户的,也可以是基于网络的。基于网络的解决方案可在第2层和/或第3层提供连接和服务。启用解决方案所涉及的设备可以是客户场所设备(CPE)、服务提供商边缘设备、服务提供商核心设备,或者这些设备的一些组合。
While the various methods of VPN service implementation are being discussed and debated, there are two points on which there is agreement:
虽然正在讨论和辩论VPN服务实现的各种方法,但有两点是一致的:
Because a VPN is private, it may use a private address space which may overlap with the address space of another VPN or the Public Internet.
因为VPN是私有的,所以它可能使用私有地址空间,该地址空间可能与另一个VPN或公共互联网的地址空间重叠。
A VPN may span multiple IP Autonomous Systems (AS) or Service Providers.
VPN可以跨越多个IP自治系统(AS)或服务提供商。
The first point indicates that an IP address only has meaning within the VPN in which it exists. For this reason, it is necessary to identify the VPN in which a particular IP address has meaning, the "scope" of the IP address.
第一点表示IP地址仅在其所在的VPN内有意义。出于这个原因,有必要识别特定IP地址具有含义的VPN,即IP地址的“范围”。
The second point indicates that several methods of VPN service implementation may be used to provide connectivity and services to a single VPN. Different service providers may employ different strategies based on their infrastructure and expertise. It is desirable to be able to identify any particular VPN at any layer and at any location in which it exists using the same VPN identifier.
第二点指出,VPN服务实现的几种方法可用于向单个VPN提供连接和服务。不同的服务提供商可能根据其基础设施和专业知识采用不同的策略。希望能够使用相同的VPN标识符在任何层和其存在的任何位置识别任何特定VPN。
The purpose of a VPN-ID is to identify a VPN. This identifier may be used in various ways depending on the method of VPN service implementation. For example, the VPN-ID may be included:
VPN-ID的用途是识别VPN。根据VPN服务实现的方法,可以以各种方式使用该标识符。例如,VPN-ID可以包括:
- In a MIB to configure attributes to a VPN, or to assign a physical or logical access interface to a particular VPN.
- 在MIB中,配置VPN的属性,或为特定VPN分配物理或逻辑访问接口。
- In a control or data packet, to identify the "scope" of a private IP address and the VPN to which the data belongs.
- 在控制或数据包中,标识专用IP地址和数据所属VPN的“范围”。
It is necessary to be able to identify the VPN with which a data packet is associated. The VPN-ID may be used to make this association, either explicitly (e.g. through inclusion of the VPN-ID in an encapsulation header [2]) or implicitly (e.g. through inclusion
必须能够识别与数据包关联的VPN。VPN-ID可用于明确(例如通过在封装头[2]中包含VPN-ID)或隐式(例如通过包含)建立此关联
of the VPN-ID in a ATM signalling exchange [3]). The appropriateness of using the VPN-ID in other contexts needs to be carefully evaluated.
在ATM信令交换[3]中使用VPN-ID。需要仔细评估在其他环境中使用VPN-ID的适当性。
There is another very important function that may be served by the VPN identifier. The VPN identifier may be used to define the "VPN authority" who is responsible for coordinating the connectivity and services employed by that VPN. The VPN authority may be the Private Network administrator or the primary Service Provider. The VPN authority will administer and serve as the main point of contact for the VPN. The authority may outsource some functions and connectivity, set up contractual agreements with the different Service Providers involved, and coordinate configuration, performance, and fault management.
VPN标识符还可以提供另一个非常重要的功能。VPN标识符可用于定义负责协调该VPN使用的连接和服务的“VPN机构”。VPN授权机构可以是专用网络管理员或主要服务提供商。VPN管理机构将管理并作为VPN的主要联系人。管理局可以外包一些功能和连接,与不同的服务提供商签订合同协议,并协调配置、性能和故障管理。
These functions require a VPN that is global in scope and usable in various solutions. To be a truly global VPN identifier, the format cannot force assumptions about the shared network(s). Conversely, the format should not be defined in such a way as to prohibit use of features of the shared network. It is necessary to note that the same VPN may be identified at different layers of the same shared network, e.g. ATM and IP layers. The same VPN-ID format and value should apply at both layers.
这些功能要求VPN在范围上是全局的,并可用于各种解决方案。要成为真正的全局VPN标识符,该格式不能强制对共享网络进行假设。相反,格式的定义不应禁止使用共享网络的功能。需要注意的是,同一VPN可以在同一共享网络的不同层(例如ATM和IP层)进行标识。相同的VPN-ID格式和值应适用于两层。
The methods of VPN-ID usage are beyond the scope of this memo.
VPN-ID的使用方法超出了本备忘录的范围。
The VPN Identifier format should meet the following requirements:
VPN标识符格式应满足以下要求:
- Provide a globally unique VPN Identifier usable across multiple Service Providers. - Enable support of a non-IP dependent VPN-ID for use in layer 2 VPNs. - Identify the VPN Authority within the VPN Identifier.
- 提供可跨多个服务提供商使用的全局唯一VPN标识符。-启用对第2层VPN中使用的非IP相关VPN-ID的支持。-在VPN标识符中标识VPN权限。
The global VPN Identifier format is:
全局VPN标识符格式为:
3 octet VPN authority Organizationally Unique Identifier [4]
3八位组VPN授权机构组织唯一标识符[4]
followed by
然后
4 octet VPN index identifying VPN according to OUI
4八位组VPN索引根据OUI识别VPN
0 1 2 3 4 5 6 7 8 +-+-+-+-+-+-+-+-+ | VPN OUI (MSB) | +-+-+-+-+-+-+-+-+ | VPN OUI | +-+-+-+-+-+-+-+-+ | VPN OUI (LSB) | +-+-+-+-+-+-+-+-+ |VPN Index (MSB)| +-+-+-+-+-+-+-+-+ | VPN Index | +-+-+-+-+-+-+-+-+ | VPN Index | +-+-+-+-+-+-+-+-+ |VPN Index (LSB)| +-+-+-+-+-+-+-+-+
0 1 2 3 4 5 6 7 8 +-+-+-+-+-+-+-+-+ | VPN OUI (MSB) | +-+-+-+-+-+-+-+-+ | VPN OUI | +-+-+-+-+-+-+-+-+ | VPN OUI (LSB) | +-+-+-+-+-+-+-+-+ |VPN Index (MSB)| +-+-+-+-+-+-+-+-+ | VPN Index | +-+-+-+-+-+-+-+-+ | VPN Index | +-+-+-+-+-+-+-+-+ |VPN Index (LSB)| +-+-+-+-+-+-+-+-+
The VPN OUI (IEEE 802-1990 Organizationally Unique Identifier) [4] identifies the VPN authority. The VPN authority will serve as the primary VPN administrator. The VPN authority may be the company/organization to which the VPN belongs or a Service Provider that provides the underlying infrastructure using its own and/or other providers' shared networks. The 4 octet VPN Index identifies a particular VPN serviced by the VPN authority.
VPN OUI(IEEE 802-1990组织唯一标识符)[4]标识VPN授权。VPN授权机构将作为主要VPN管理员。VPN授权机构可以是VPN所属的公司/组织或使用其自己和/或其他提供商的共享网络提供基础设施的服务提供商。4个八位组的VPN索引标识由VPN授权机构提供服务的特定VPN。
This document defines the format of the global VPN identifier without specifying usage. However, the association of particular characteristics and capabilities with a VPN identifier necessitates use of standard security procedures with any specified usage. Misconfiguration or deliberate forging of VPN identifier may result different breaches in security including the interconnection of different VPNs.
本文档定义了全局VPN标识符的格式,但未指定用途。但是,特定特征和功能与VPN标识符的关联需要使用具有任何指定用途的标准安全程序。错误配置或故意伪造VPN标识符可能导致不同的安全漏洞,包括不同VPN的互连。
[1] Gleeson, Heinanen, Lin, Armitage, Malis, "A Framework for IP Based Virtual Private Networks", Work in Progress.
[1] Gleeson、Heinanen、Lin、Armitage、Malis,“基于IP的虚拟专用网络框架”,正在进行中。
[2] Grossman, D. and J. Heinanen, "Multiprotocol Encapsulation over ATM Adaptation Layer 5", RFC 2684, September 1999.
[2] Grossman,D.和J.Heinanen,“ATM适配层5上的多协议封装”,RFC 2684,1999年9月。
[3] "MPOA v1.1 Addendum on VPN Support", ATM Forum, af-mpoa-0129.000, August, 1999, Bernhard Petri, editor, final ballot document.
[3] “MPOA v1.1 VPN支持补遗”,ATM论坛,af-MPOA-0129.000,1999年8月,Bernhard Petri,编辑,最终投票文件。
[4] http://standards.ieee.org/regauth/oui/index.html
[4] http://standards.ieee.org/regauth/oui/index.html
Barbara A. Fox Lucent Technologies 300 Baker Ave, Suite 100 Concord, MA 01742-2168
芭芭拉A.福克斯朗讯科技公司马萨诸塞州康科德贝克大道300号100室01742-2168
Phone: +1-978-287-2843 EMail: barbarafox@lucent.com
Phone: +1-978-287-2843 EMail: barbarafox@lucent.com
Bryan Gleeson Nortel Networks 4500 Great America Parkway, Santa Clara, CA 95054
布莱恩·格雷森北电网络公司,加利福尼亚州圣克拉拉大美洲大道4500号,邮编95054
Phone: +1-408-855-3711 EMail: bgleeson@shastanets.com
Phone: +1-408-855-3711 EMail: bgleeson@shastanets.com
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。