Network Working Group K. Muthukrishnan Request for Comments: 2917 Lucent Technologies Category: Informational A. Malis Vivace Networks, Inc. September 2000
Network Working Group K. Muthukrishnan Request for Comments: 2917 Lucent Technologies Category: Informational A. Malis Vivace Networks, Inc. September 2000
A Core MPLS IP VPN Architecture
一种核心MPLS-IP-VPN体系结构
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
Abstract
摘要
This memo presents an approach for building core Virtual Private Network (VPN) services in a service provider's MPLS backbone. This approach uses Multiprotocol Label Switching (MPLS) running in the backbone to provide premium services in addition to best effort services. The central vision is for the service provider to provide a virtual router service to their customers. The keystones of this architecture are ease of configuration, user security, network security, dynamic neighbor discovery, scaling and the use of existing routing protocols as they exist today without any modifications.
本备忘录介绍了一种在服务提供商的MPLS主干网中构建核心虚拟专用网(VPN)服务的方法。这种方法使用在主干网中运行的多协议标签交换(MPLS)来提供尽力而为的服务之外的优质服务。中心愿景是服务提供商向其客户提供虚拟路由器服务。该体系结构的重点是易于配置、用户安全、网络安全、动态邻居发现、扩展和使用现有的路由协议,就像它们现在存在的那样,无需任何修改。
ARP Address Resolution Protocol CE Customer Edge router LSP Label Switched Path PNA Private Network Administrator SLA Service Level Agreement SP Service Provider SPED Service Provider Edge Device SPNA SP Network Administrator VMA VPN Multicast Address VPNID VPN Identifier VR Virtual Router VRC Virtual Router Console
ARP地址解析协议CE客户边缘路由器LSP标签交换路径PNA专用网络管理员SLA服务级别协议SP服务提供商SPED服务提供商边缘设备SPNA SP网络管理员VMA VPN多播地址VPNID VPN标识符VR虚拟路由器VRC虚拟路由器控制台
This memo describes an approach for building IP VPN services out of the backbone of the SP's network. Broadly speaking, two possible approaches present themselves: the overlay model and the virtual router approach. The overlay model is based on overloading some semantic(s) of existing routing protocols to carry reachability information. In this document, we focus on the virtual router service.
本备忘录描述了在SP网络主干之外构建IP VPN服务的方法。广义上讲,有两种可能的方法:覆盖模型和虚拟路由器方法。覆盖模型基于重载现有路由协议的某些语义来承载可达性信息。在本文档中,我们将重点介绍虚拟路由器服务。
The approach presented here does not depend on any modifications of any existing routing protocols. Neighbor discovery is aided by the use of an emulated LAN and is achieved by the use of ARP. This memo makes a concerted effort to draw the line between the SP and the PNA: the SP owns and manages layer 1 and layer 2 services while layer 3 services belong to and are manageable by the PNA. By the provisioning of fully logically independent routing domains, the PNA has been given the flexibility to use private and unregistered addresses. Due to the use of private LSPs and the use of VPNID encapsulation using label stacks over shared LSPs, data security is not an issue.
这里介绍的方法不依赖于对任何现有路由协议的任何修改。邻居发现通过使用模拟LAN来辅助,并通过使用ARP来实现。本备忘录旨在划清SP和PNA之间的界限:SP拥有并管理第1层和第2层服务,而第3层服务属于PNA并由PNA管理。通过提供完全逻辑独立的路由域,PNA可以灵活地使用私有和未注册地址。由于使用了私有LSP,并且在共享LSP上使用标签堆栈进行VPNID封装,因此数据安全性不是问题。
The approach espoused in this memo differs from that described in RFC 2547 [Rosen1] in that no specific routing protocol has been overloaded to carry VPN routes. RFC 2547 specifies a way to modify BGP to carry VPN unicast routes across the SP's backbone. To carry multicast routes, further architectural work will be necessary.
本备忘录中支持的方法与RFC 2547[Rosen1]中描述的方法不同,因为没有特定的路由协议过载以承载VPN路由。RFC 2547指定了修改BGP以跨SP主干传输VPN单播路由的方法。为了承载多播路由,需要进一步的架构工作。
A virtual router is a collection of threads, either static or dynamic, in a routing device, that provides routing and forwarding services much like physical routers. A virtual router need not be a separate operating system process (although it could be); it simply has to provide the illusion that a dedicated router is available to satisfy the needs of the network(s) to which it is connected. A virtual router, like its physical counterpart, is an element in a routing domain. The other routers in this domain could be physical or virtual routers themselves. Given that the virtual router connects to a specific (logically discrete) routing domain and that a physical router can support multiple virtual routers, it follows that a physical router supports multiple (logically discreet) routing domains.
虚拟路由器是路由设备中静态或动态线程的集合,提供路由和转发服务,非常类似于物理路由器。虚拟路由器不需要是一个单独的操作系统进程(尽管它可以是);它只需要提供一种错觉,即专用路由器可以满足其所连接网络的需求。与物理路由器一样,虚拟路由器也是路由域中的一个元素。此域中的其他路由器可以是物理或虚拟路由器本身。假设虚拟路由器连接到特定(逻辑上离散的)路由域,并且物理路由器可以支持多个虚拟路由器,那么物理路由器支持多个(逻辑上离散的)路由域。
From the user (VPN customer) standpoint, it is imperative that the virtual router be as equivalent to a physical router as possible. In other words, with very minor and very few exceptions, the virtual router should appear for all purposes (configuration, management, monitoring and troubleshooting) like a dedicated physical router. The
从用户(VPN客户)的角度来看,虚拟路由器必须尽可能等同于物理路由器。换句话说,除了极少数例外情况外,虚拟路由器的所有用途(配置、管理、监控和故障排除)都应该像专用物理路由器一样出现。这个
main motivation behind this requirement is to avoid upgrading or re-configuring the large installed base of routers and to avoid retraining of network administrators.
这一要求背后的主要动机是避免升级或重新配置大量路由器,并避免对网络管理员进行再培训。
The aspects of a router that a virtual router needs to emulate are:
虚拟路由器需要模拟的路由器方面包括:
1. Configuration of any combination of routing protocols
1. 任何路由协议组合的配置
2. Monitoring of the network
2. 网络监测
3. Troubleshooting.
3. 故障排除。
Every VPN has a logically independent routing domain. This enhances the SP's ability to offer a fully flexible virtual router service that can fully serve the SP's customer without requiring physical per-VPN routers. This means that the SP's "hardware" investments, namely routers and links between them, can be re-used by multiple customers.
每个VPN都有一个逻辑上独立的路由域。这增强了SP提供完全灵活的虚拟路由器服务的能力,该服务可以完全服务于SP的客户,而无需物理每VPN路由器。这意味着SP的“硬件”投资,即路由器和它们之间的链路,可以被多个客户重复使用。
1. Easy, scalable configuration of VPN endpoints in the service provider network. At most, one piece of configuration should be necessary when a CE is added.
1. 在服务提供商网络中轻松、可扩展地配置VPN端点。在添加CE时,最多需要一个配置。
2. No use of SP resources that are globally unique and hard to get such as IP addresses and subnets.
2. 不使用全局唯一且难以获取的SP资源,如IP地址和子网。
3. Dynamic discovery of VRs (Virtual Routers) in the SP's cloud. This is an optional, but extremely valuable "keep it simple" goal.
3. SP云中VRs(虚拟路由器)的动态发现。这是一个可选的,但非常有价值的“保持简单”目标。
4. Virtual Routers should be fully configurable and monitorable by the VPN network administrator. This provides the PNA with the flexibility to either configure the VPN themselves or outsource configuration tasks to the SP.
4. 虚拟路由器应由VPN网络管理员完全配置和监控。这使PNA能够灵活地自行配置VPN或将配置任务外包给SP。
5. Quality of data forwarding should be configurable on a VPN-by-VPN basis. This should translate to continuous (but perhaps discrete) grades of service. Some examples include best effort, dedicated bandwidth, QOS, and policy based forwarding services.
5. 数据转发的质量应可在VPN逐个VPN的基础上进行配置。这应该转化为连续(但可能是离散)的服务等级。一些示例包括尽力而为、专用带宽、QOS和基于策略的转发服务。
6. Differentiated services should be configurable on a VPN-by-VPN basis, perhaps based on LSPs set up for exclusive use for forwarding data traffic in the VPN.
6. 差异化服务应在VPN逐个VPN的基础上进行配置,可能基于专为转发VPN中的数据流量而设置的LSP。
7. Security of internet routers extended to virtual routers. This means that the virtual router's data forwarding and routing functions should be as secure as a dedicated, private physical router. There should be no unintended leak of information (user data and reachability information) from one routing domain to another.
7. 互联网路由器的安全扩展到虚拟路由器。这意味着虚拟路由器的数据转发和路由功能应该与专用的专用物理路由器一样安全。从一个路由域到另一个路由域之间不应有信息(用户数据和可达性信息)的意外泄漏。
8. Specific routing protocols should not be mandated between virtual routers. This is critical to ensuring the VPN customer can setup the network and policies as the customer sees fit. For example, some protocols are strong in filtering, while others are strong in traffic engineering. The VPN customer might want to exploit both to achieve "best of breed" network quality.
8. 虚拟路由器之间不应强制使用特定的路由协议。这对于确保VPN客户能够在客户认为合适的情况下设置网络和策略至关重要。例如,一些协议在过滤方面很强,而另一些协议在流量工程方面很强。VPN客户可能希望利用这两种技术来实现“同类最佳”的网络质量。
9. No special extensions to existing routing protocols such as BGP, RIP, OSPF, ISIS etc. This is critical to allowing the future addition of other services such as NHRP and multicast. In addition, as advances and addenda are made to existing protocols (such as traffic engineering extensions to ISIS and OSPF), they can be easily incorporated into the VPN implementation.
9. 对现有路由协议(如BGP、RIP、OSPF、ISIS等)没有特殊扩展。这对于允许将来添加其他服务(如NHRP和多播)至关重要。此外,由于对现有协议(如ISIS和OSPF的流量工程扩展)进行了改进和增补,因此可以轻松地将其纳入VPN实现中。
The service provider network must run some form of multicast routing to all nodes that will have VPN connections and to nodes that must forward multicast datagrams for virtual router discovery. A specific multicast routing protocol is not mandated. An SP may run MOSPF or DVMRP or any other protocol.
服务提供商网络必须运行某种形式的多播路由到将具有VPN连接的所有节点和必须转发多播数据报以进行虚拟路由器发现的节点。不强制使用特定的多播路由协议。SP可以运行MOSPF或DVMRP或任何其他协议。
1. Every VPN is assigned a VPNID which is unique within the SP's network. This identifier unambiguously identifies the VPN with which a packet or connection is associated. The VPNID of zero is reserved; it is associated with and represents the public internet. It is recommended, but not required that these VPN identifiers will be compliant with RFC 2685 [Fox].
1. 每个VPN都分配了一个VPNID,该VPNID在SP的网络中是唯一的。此标识符明确标识与数据包或连接关联的VPN。保留0的VPNID;它与公共互联网相关联并代表公共互联网。建议但不要求这些VPN标识符符合RFC 2685[Fox]。
2. The VPN service is offered in the form of a Virtual Router service. These VRs reside in the SPED and are as such confined to the edge of the SP's cloud. The VRs will use the SP's network for data and control packet forwarding but are otherwise invisible outside the SPEDs.
2. VPN服务以虚拟路由器服务的形式提供。这些VRs位于SPED中,因此仅限于SP云的边缘。VRs将使用SP的网络进行数据和控制数据包转发,但在SPED之外是不可见的。
3. The "size" of the VR contracted to the VPN in a given SPED is expressed by the quantity of IP resources such as routing interfaces, route filters, routing entries etc. This is entirely under the control of the SP and provides the fine granularity
3. 在给定的SPED中,签约给VPN的虚拟现实的“大小”由IP资源的数量表示,如路由接口、路由过滤器、路由条目等。这完全由SP控制,并提供精细的粒度
that the SP requires to offer virtually infinite grades of VR service on a per-SPED level. [Example: one SPED may be the aggregating point (say headquarters of the corporation) for a given VPN and a number of other SPEDs may be access points (branch offices). In this case, the SPED connected to the headquarters may be contracted to provide a large VR while the SPEDs connected to the branch offices may house small, perhaps stub VRs]. This provision also allows the SP to design the network with an end goal of distributing the load among the routers in the network.
SP要求在每个SPED级别上提供几乎无限级别的虚拟现实服务。[示例:一个SPED可能是给定VPN的聚合点(如公司总部),许多其他SPED可能是接入点(分支机构)。在这种情况下,连接到总部的SPED可能签订合同提供大型虚拟现实,而连接到分支机构的SPED可能容纳小型虚拟现实]。该规定还允许SP设计网络,最终目标是在网络中的路由器之间分配负载。
4. One indicator of the VPN size is the number of SPEDs in the SP's network that have connections to CPE routers in that VPN. In this respect, a VPN with many sites that need to be connected is a "large" VPN whereas one with a few sites is a "small" VPN. Also, it is conceivable that a VPN grows or shrinks in size over time. VPNs may even merge due to corporate mergers, acquisitions and partnering agreements. These changes are easy to accommodate in this architecture, as globally unique IP resources do not have to be dedicated or assigned to VPNs. The number of SPEDs is not limited by any artificial configuration limits.
4. VPN大小的一个指标是SP网络中连接到该VPN中CPE路由器的SPED数量。在这方面,需要连接多个站点的VPN是“大型”VPN,而只有几个站点的VPN是“小型”VPN。此外,可以想象VPN的大小会随着时间的推移而增大或减小。VPN甚至可能因公司合并、收购和合作协议而合并。这些变化很容易适应这种体系结构,因为全球唯一的IP资源不必专用或分配给VPN。SPED的数量不受任何人为配置限制。
5. The SP owns and manages Layer 1 and Layer 2 entities. To be specific, the SP controls physical switches or routers, physical links, logical layer 2 connections (such as DLCI in Frame Relay and VPI/VCI in ATM) and LSPs (and their assignment to specific VPNs). In the context of VPNs, it is the SP's responsibility to contract and assign layer 2 entities to specific VPNs.
5. SP拥有并管理第1层和第2层实体。具体而言,SP控制物理交换机或路由器、物理链路、逻辑层2连接(如帧中继中的DLCI和ATM中的VPI/VCI)和LSP(以及它们对特定VPN的分配)。在VPN环境中,SP负责将第2层实体签约并分配给特定VPN。
6. Layer 3 entities belong to and are manageable by the PNA. Examples of these entities include IP interfaces, choice of dynamic routing protocols or static routes, and routing interfaces. Note that although Layer 3 configuration logically falls under the PNA's area of responsibility, it is not necessary for the PNA to execute it. It is quite viable for the PNA to outsource the IP administration of the virtual routers to the Service Provider. Regardless of who assumes responsibility for configuration and monitoring, this approach provides a full routing domain view to the PNA and empowers the PNA to design the network to achieve intranet, extranet and traffic engineering goals.
6. 第3层实体属于PNA,可由PNA管理。这些实体的示例包括IP接口、动态路由协议或静态路由的选择以及路由接口。请注意,尽管第3层配置在逻辑上属于PNA的责任范围,但PNA没有必要执行它。PNA将虚拟路由器的IP管理外包给服务提供商是非常可行的。无论谁负责配置和监控,这种方法都为PNA提供了完整的路由域视图,并使PNA能够设计网络以实现内联网、外联网和流量工程目标。
7. The VPNs can be managed as if physical routers rather than VRs were deployed. Therefore, management may be performed using SNMP or other similar methods or directly at the VR console (VRC).
7. VPN可以像部署物理路由器而不是虚拟现实一样进行管理。因此,可以使用SNMP或其他类似方法或直接在VR控制台(VRC)上执行管理。
8. Industry-standard troubleshooting tools such as 'ping,' 'traceroute,' in a routing domain domain comprised exclusively of dedicated physical routers. Therefore, monitoring and .bp troubleshooting may be performed using SNMP or similar methods, but may also include the use of these standard tools. Again, the VRC may be used for these purposes just like any physical router.
8. 行业标准的故障排除工具,如专门由专用物理路由器组成的路由域中的“ping”、“traceroute”。因此,可以使用SNMP或类似方法执行监视和.bp故障排除,但也可能包括使用这些标准工具。同样,VRC可以像任何物理路由器一样用于这些目的。
9. Since the VRC is visible to the user, router specific security checks need to be put in place to make sure the VPN user is allowed access to Layer 3 resources in that VPN only and is disallowed from accessing physical resources in the router. Most routers achieve this through the use of database views.
9. 由于用户可以看到VRC,因此需要进行特定于路由器的安全检查,以确保VPN用户只允许访问该VPN中的第3层资源,并且不允许访问路由器中的物理资源。大多数路由器通过使用数据库视图来实现这一点。
10. The VRC is available to the SP as well. If configuration and monitoring has been outsourced to the SP, the SP may use the VRC to accomplish these tasks as if it were the PNA.
10. SP也可以使用VRC。如果配置和监控已外包给SP,SP可以使用VRC完成这些任务,就像它是PNA一样。
11. The VRs in the SPEDs form the VPN in the SP's network. Together, they represent a virtual routing domain. They dynamically discover each other by utilizing an emulated LAN resident in the SP's network.
11. SPED中的VRs构成SP网络中的VPN。它们一起代表一个虚拟路由域。它们通过利用驻留在SP网络中的模拟LAN动态发现彼此。
Each VPN in the SP's network is assigned one and only one multicast address. This address is chosen from the administratively scoped range (239.192/14) [Meyer] and the only requirement is that the multicast address can be uniquely mapped to a specific VPN. This is easily automated by routers by the use of a simple function to unambiguously map a VPNid to the multicast address. Subscription to this multicast address allows a VR to discover and be discovered by other VRs. It is important to note that the multicast address does not have to be configured.
SP网络中的每个VPN分配一个且仅分配一个多播地址。此地址从管理范围(239.192/14)[Meyer]中选择,唯一的要求是多播地址可以唯一映射到特定VPN。通过使用一个简单的函数将VPNid明确地映射到多播地址,路由器很容易实现自动化。订阅此多播地址允许虚拟现实发现并被其他虚拟现实发现。需要注意的是,不必配置多播地址。
12. Data forwarding may be done in one of several ways:
12. 数据转发可以通过以下几种方式之一完成:
1. An LSP with best-effort characteristics that all VPNS can use.
1. 具有所有VPN都可以使用的尽力而为特性的LSP。
2. An LSP dedicated to a VPN and traffic engineered by the VPN customer.
2. 专用于VPN和VPN客户设计的流量的LSP。
3. A private LSP with differentiated characteristics.
3. 具有不同特征的专用LSP。
4. Policy based forwarding on a dedicated L2 Virtual Circuit
4. 基于专用L2虚拟电路的基于策略的转发
The choice of the preferred method is negotiable between the SP and the VPN customer, perhaps constituting part of the SLA between them. This allows the SP to offer different grades of service to different VPN customers.
首选方法的选择在SP和VPN客户之间可以协商,可能构成他们之间SLA的一部分。这允许SP向不同的VPN客户提供不同级别的服务。
Of course, hop-by-hop forwarding is also available to forward routing packets and to forward user data packets during periods of LSP establishment and failure.
当然,逐跳转发也可用于在LSP建立和失败期间转发路由分组和转发用户数据分组。
13. This approach does not mandate that separate operating system tasks for each of the routing protocols be run for each VR that the SPED houses. Specific implementations may be tailored to the particular SPED in use. Maintaining separate routing databases and forwarding tables, one per VR, is one way to get the highest performance for a given SPED.
13. 这种方法并不要求为SPED所在的每个VR运行每个路由协议的单独操作系统任务。具体实施可根据使用中的特定SPED进行定制。维护单独的路由数据库和转发表(每个VR一个)是为给定SPED获得最高性能的一种方法。
A typical VPN is expected to have 100s to 1000s of endpoints within the SP cloud. Therefore, configuration should scale (at most) linearly with the number of end points. To be specific, the administrator should have to add a couple of configuration items when a new customer site joins the set of VRs constituting a specific VPN. Anything worse will make this task too daunting for the service provider. In this architecture, all that the service provider needs to allocate and configure is the ingress/egress physical link (e.g. Frame Relay DLCI or ATM VPI/VCI) and the virtual connection between the VR and the emulated LAN.
一个典型的VPN预计在SP云中有100到1000个端点。因此,配置应(最多)与端点的数量成线性关系。具体而言,当新客户站点加入构成特定VPN的VRs集时,管理员必须添加两个配置项。任何更糟糕的事情都会让服务提供商感到这项任务过于艰巨。在此架构中,服务提供商需要分配和配置的只是入口/出口物理链路(例如,帧中继DLCI或ATM VPI/VCI)以及VR和模拟LAN之间的虚拟连接。
The VRs in a given VPN reside in a number of SPEDs in the network. These VRs need to learn about each other and be connected.
给定VPN中的VRs驻留在网络中的多个SPED中。这些虚拟现实需要相互了解并相互连接。
One way to do this is to require the manual configuration of neighbors. As an example, when a new site is added to a VPN, this would require the configuration of all the other VRs as neighbors. This is obviously not scalable from a configuration and network resource standpoint.
一种方法是需要手动配置邻居。例如,将新站点添加到VPN时,需要将所有其他VRs配置为邻居。从配置和网络资源的角度来看,这显然是不可扩展的。
The need then arises to allow these VRs to dynamically discover each other. Neighbor discovery is facilitated by providing each VPN with a limited emulated LAN. This emulated LAN is used in several ways:
因此,需要允许这些虚拟现实动态地发现彼此。通过为每个VPN提供有限的模拟LAN,可以促进邻居发现。此模拟LAN有几种使用方式:
1. Address resolution uses this LAN to resolve next-hop (private) IP addresses associated with the other VRs.
1. 地址解析使用此LAN解析与其他VRs关联的下一跳(专用)IP地址。
2. Routing protocols such as RIP and OSPF use this limited emulated LAN for neighbor discovery and to send routing updates.
2. RIP和OSPF等路由协议使用这种有限的模拟LAN进行邻居发现和发送路由更新。
The per-VPN LAN is emulated using an IP multicast address. In the interest of conserving public address space and because this multicast address needs to be visible only in the SP network space,
使用IP多播地址模拟每个VPN LAN。为了节省公共地址空间,并且由于该多播地址需要仅在SP网络空间中可见,
we would use an address from the Organizationally scoped multicast addresses (239.192/14) as described in [Meyer]. Each VPN is allocated an address from this range. To completely eliminate configuration in this regard, this address is computed from the VPNID.
我们将使用组织范围的多播地址(239.192/14)中的地址,如[Meyer]中所述。每个VPN都从该范围分配了一个地址。为了完全消除这方面的配置,从VPNID计算此地址。
151.0.0.1 ################ # # # ROUTER 'A' # # # ################ # # # # # # # # ############# ############### # # # # # ROUTER 'B'# # ROUTER 'C' # # # # # # # # # ############# ############### 152.0.0.2 153.0.0.3
151.0.0.1 ################ # # # ROUTER 'A' # # # ################ # # # # # # # # ############# ############### # # # # # ROUTER 'B'# # ROUTER 'C' # # # # # # # # # ############# ############### 152.0.0.2 153.0.0.3
Figure 1 'Physical Routing Domain'
图1“物理路由域”
The physical domain in the SP's network is shown in the above figure. In this network, physical routers A, B and C are connected together. Each of the routers has a 'public' IP address assigned to it. These addresses uniquely identify each of the routers in the SP's network.
SP网络中的物理域如上图所示。在此网络中,物理路由器A、B和C连接在一起。每个路由器都有一个“公共”IP地址分配给它。这些地址唯一地标识SP网络中的每个路由器。
172.150.0/18 172.150.128/18 ----------------------- ---------------------------| | | | | | 172.150.128.1 | ROUTER 'A' (151.0.0.1) | |---------| | ############# | |Parts DB | | ---#-----------# | /---------/ | OSPF | # # ISIS | /----------/ ------------|# VR - A #|-------------- #-------|---#-| #############10.0.1/24 |----|------------#-#---------------|-----| |10.0.0.2/24# # |10.0.0.3/24 |------|-------| # # ---------|-------| | ############### # |############### | | # VR - B |# # # VR - C # | |#-------------# ROUTER 'B'##|------------#---- (152.0.0.2)############### ############### (153.0.0.3) ------------------------- ROUTER 'C' | Extranet 172.150.64/18 V Vendors
172.150.0/18 172.150.128/18 ----------------------- ---------------------------| | | | | | 172.150.128.1 | ROUTER 'A' (151.0.0.1) | |---------| | ############# | |Parts DB | | ---#-----------# | /---------/ | OSPF | # # ISIS | /----------/ ------------|# VR - A #|-------------- #-------|---#-| #############10.0.1/24 |----|------------#-#---------------|-----| |10.0.0.2/24# # |10.0.0.3/24 |------|-------| # # ---------|-------| | ############### # |############### | | # VR - B |# # # VR - C # | |#-------------# ROUTER 'B'##|------------#---- (152.0.0.2)############### ############### (153.0.0.3) ------------------------- ROUTER 'C' | Extranet 172.150.64/18 V Vendors
Figure 2 'Virtual Routing Domain'
图2“虚拟路由域”
Each Virtual Router is configurable by the PNA as though it were a private physical router. Of course, the SP limits the resources that this Virtual Router may consume on a SPED-by-SPED basis. Each VPN has a number of physical connections (to CPE routers) and a number of logical connections (to the emulated LAN). Each connection is IP-capable and can be configured to utilize any combination of the standard routing protocols and routing policies to achieve specific corporate network goals.
每个虚拟路由器都可以通过PNA进行配置,就像它是一个私有物理路由器一样。当然,SP会限制此虚拟路由器可能消耗的资源。每个VPN都有若干物理连接(到CPE路由器)和若干逻辑连接(到模拟LAN)。每个连接都支持IP,并且可以配置为利用标准路由协议和路由策略的任意组合来实现特定的公司网络目标。
To illustrate, in Figure 1, 3 VRs reside on 3 SPEDs in VPN 1. Router 'A' houses VR-A, router 'B' houses VR-B and router 'C' houses VR-C. VR-C and VR-B have a physical connection to CPE equipment, while VR-A has 2 physical connections. Each of the VRs has a fully IP-capable logical connection to the emulated LAN. VR-A has the (physical) connections to the headquarters of the company and runs OSPF over those connections. Therefore, it can route packets to 172.150.0/18 and 172.150.128/18. VR-B runs RIP in the branch office (over the physical connection) and uses RIP (over the logical connection) to export 172.150.64/18 to VR-A. VR-A advertises a default route to VR-B over the logical connection. Vendors use VR-C as the extranet connection to connect to the parts database at 172.150.128.1. Hence, VR-C advertises a default route to VR-A over the logical connection. VR-A exports only 175.150.128.1 to VR-C. This keeps the rest of the corporate network from a security problem.
为了举例说明,在图1中,3个虚拟现实驻留在VPN 1中的3个SPED上。路由器“A”包含VR-A、路由器“B”包含VR-B和路由器“C”包含VR-C。VR-C和VR-B与CPE设备有物理连接,而VR-A有2个物理连接。每个VRs都有一个到模拟LAN的完全支持IP的逻辑连接。VR-A与公司总部有(物理)连接,并通过这些连接运行OSPF。因此,它可以将数据包路由到172.150.0/18和172.150.128/18。VR-B在分支机构(通过物理连接)运行RIP,并使用RIP(通过逻辑连接)将172.150.64/18导出到VR-A。VR-A通过逻辑连接向VR-B播发默认路由。供应商使用VR-C作为外联网连接,以连接172.150.128.1处的零件数据库。因此,VR-C通过逻辑连接向VR-a播发默认路由。VR-A仅将175.150.128.1导出到VR-C。这使公司网络的其余部分不会出现安全问题。
The network administrator will configure the following:
网络管理员将配置以下各项:
1. OSPF connections to the 172.150.0/18 and 172.150.128/18 network in VR-A.
1. 到VR-A中172.150.0/18和172.150.128/18网络的OSPF连接。
2. RIP connections to VR-B and VR-C on VR-A.
2. 在VR-A上与VR-B和VR-C的RIP连接。
3. Route policies on VR-A to advertise only the default route to VR-B.
3. VR-A上的路由策略,仅公布到VR-B的默认路由。
4. Route policies on VR-A to advertise only 172.159.128.1 to VR-C.
4. 将VR-A上的策略发送至VR-C,仅宣传172.159.128.1。
5. RIP on VR-B to VR-A.
5. 从VR-B到VR-A的撕裂。
6. RIP on VR-C to advertise a default route to VR-A.
6. 在VR-C上进行RIP,以公布到VR-a的默认路由。
In Figure #1, the SPED that houses VR-A (SPED-A) uses a public address of 150.0.0.1/24, SPED-B uses 150.0.0.2/24 and SPED-C uses 150.0.0.3/24. As noted, the connection between the VRs is via an emulated LAN. For interface addresses on the emulated LAN connection, VR-A uses 10.0.0.1/24, VR-B uses 10.0.0.2/24 and VR-C uses 10.0.0.3/24.
在图1中,容纳VR-A(SPED-A)的SPED使用150.0.0.1/24的公共广播,SPED-B使用150.0.0.2/24,SPED-C使用150.0.0.3/24。如上所述,VRs之间的连接通过模拟LAN进行。对于模拟LAN连接上的接口地址,VR-A使用10.0.0.1/24,VR-B使用10.0.0.2/24,VR-C使用10.0.0.3/24。
Let's take the case of VR-A sending a packet to VR-B. To get VR-B's address (SPED-B's address), VR-A sends an ARP request packet with the address of VR-B (10.0.0.2) as the logical address. The source logical address is 10.0.0.1 and the hardware address is 151.0.0.1. This ARP request is encapsulated in this VPN's multicast address and sent out. SPED B and SPED-C receive a copy of the packet. SPED-B recognizes 10.0.0.2 in the context of VPN 1 and responds with 152.0.0.2 as the "hardware" address. This response is sent to the VPN multicast address to promote the use of promiscuous ARP and the resulting decrease in network traffic.
让我们以VR-A向VR-B发送数据包为例。为了获得VR-B的地址(SPED-B的地址),VR-A发送一个ARP请求数据包,其中VR-B的地址(10.0.0.2)作为逻辑地址。源逻辑地址为10.0.0.1,硬件地址为151.0.0.1。这个ARP请求被封装在这个VPN的多播地址中并发送出去。SPED B和SPED-C接收数据包的副本。SPED-B在VPN 1的上下文中识别10.0.0.2,并以152.0.0.2作为“硬件”地址进行响应。此响应被发送到VPN多播地址,以促进混乱ARP的使用,从而减少网络流量。
Manual configuration would be necessary if neighbor discovery were not used. In this example, VR-A would be configured with a static ARP entry for VR-B's logical address (10.0.0.1) with the "hardware" address set to 152.0.0.2.
如果未使用邻居发现,则需要手动配置。在本例中,VR-A将配置一个静态ARP条目,用于VR-B的逻辑地址(10.0.0.1),“硬件”地址设置为152.0.0.2。
As mentioned in the architectural outline, data forwarding may be done in one of several ways. In all techniques except the Hop-by-Hop technique for forwarding routing/control packets, the actual method
如架构大纲中所述,数据转发可以通过以下几种方式之一完成。除了用于转发路由/控制数据包的逐跳技术外,在所有技术中,实际方法
is configurable. At the high end, policy based forwarding for quick service and at the other end best effort forwarding using public LSP is used. The order of forwarding preference is as follows:
是可配置的。在高端,使用基于策略的快速服务转发,在另一端使用公共LSP的最大努力转发。转发优先顺序如下:
1. Policy based forwarding.
1. 基于策略的转发。
2. Optionally configured private LSP.
2. 可选配置的专用LSP。
3. Best-effort public LSP.
3. 尽力而为的公共LSP。
This LSP is optionally configured on a per-VPN basis. This LSP is usually associated with non-zero bandwidth reservation and/or a specific differentiated service or QOS class. If this LSP is available, it is used for user data and for VPN private control data forwarding.
此LSP可以选择在每个VPN的基础上进行配置。该LSP通常与非零带宽预留和/或特定的区分服务或QOS类别相关联。如果此LSP可用,它将用于用户数据和VPN专用控制数据转发。
VPN data packets are forwarded using this LSP if a private LSP with specified bandwidth and/or QOS characteristics is either not configured or not presently available. The LSP used is the one destined for the egress router in VPN 0. The VPNID in the shim header is used to de-multiplex data packets from various VPNs at the egress router.
如果具有指定带宽和/或QOS特征的专用LSP未配置或当前不可用,则使用此LSP转发VPN数据包。所使用的LSP是指定给VPN 0中的出口路由器的LSP。shim报头中的VPNID用于在出口路由器处对来自各种VPN的数据包进行解复用。
Configuring private LSPs for VPNs allows the SP to offer differentiated services to paying customers. These private LSPs could be associated with any available L2 QOS class or Diff-Serv codepoints. In a VPN, multiple private LSPs with different service classes could be configured with flow profiles for sorting the packets among the LSPs. This feature, together with the ability to size the virtual routers, allows the SP to offer truly differentiated services to the VPN customer.
通过为VPN配置专用LSP,SP可以向付费客户提供差异化服务。这些私有lsp可以与任何可用的l2qos类或Diff-Serv码点相关联。在VPN中,可以使用流配置文件配置具有不同服务类别的多个专用LSP,以便在LSP之间对数据包进行排序。此功能以及调整虚拟路由器大小的能力使SP能够向VPN客户提供真正的差异化服务。
The use of standard routing protocols such as OSPF and BGP in their unmodified form means that all the encryption and security methods (such as MD5 authentication of neighbors) are fully available in VRs. Making sure that routes are not accidentally leaked from one VPN to another is an implementation issue. One way to achieve this is to maintain separate routing and forwarding databases.
标准路由协议(如OSPF和BGP)未经修改的使用意味着所有加密和安全方法(如邻居的MD5身份验证)在VRs中完全可用。确保路由不会意外地从一个VPN泄漏到另一个VPN是一个实现问题。实现这一点的一种方法是维护单独的路由和转发数据库。
This allows the SP to assure the VPN customer that data packets in one VPN never have the opportunity to wander into another. From a routing standpoint, this could be achieved by maintaining separate routing databases for each virtual router. From a data forwarding standpoint, the use of label stacks in the case of shared LSPs [Rosen2] [Callon] or the use of private LSPs guarantees data privacy. Packet filters may also be configured to help ease the problem.
这允许SP向VPN客户保证,一个VPN中的数据包永远不会有机会漫游到另一个VPN中。从路由的角度来看,这可以通过为每个虚拟路由器维护单独的路由数据库来实现。从数据转发的角度来看,在共享LSP[Rosen2][Callon]或使用专用LSP的情况下使用标签堆栈可以保证数据隐私。还可以配置包过滤器以帮助缓解问题。
Virtual routers appear as physical routers to the PNA. This means that they may be configured by the PNA to achieve connectivity between offices of a corporation. Obviously, the SP has to guarantee that the PNA and the PNA's designees are the only ones who have access to the VRs on the SPEDs the private network has connections to. Since the virtual router console is functionally equivalent to a physical router, all of the authentication methods available on a physical console such as password, RADIUS, etc. are available to the PNA.
虚拟路由器显示为PNA的物理路由器。这意味着它们可以由PNA配置,以实现公司办公室之间的连接。显然,SP必须保证只有PNA和PNA的指定人员才能访问专用网络连接到的SPED上的VRs。由于虚拟路由器控制台在功能上等同于物理路由器,因此物理控制台上可用的所有身份验证方法(如密码、RADIUS等)都可用于PNA。
When a PNA logs in to a SPED to configure or monitor the VPN, the PNA is logged into the VR for the VPN. The PNA has only layer 3 configuration and monitoring privileges for the VR. Specifically, the PNA has no configuration privileges for the physical network. This provides the guarantee to the SP that a VPN administrator will not be able to inadvertently or otherwise adversely affect the SP's network.
当PNA登录到SPED以配置或监视VPN时,PNA将登录到VPN的虚拟现实中。PNA对VR只有第3层配置和监控权限。具体而言,PNA没有物理网络的配置权限。这为SP提供了一种保证,即VPN管理员不会无意中或以其他方式对SP的网络造成不利影响。
All of the router monitoring features available on a physical router are available on the virtual router. This includes utilities such as "ping" and "traceroute". In addition, the ability to display private routing tables, link state databases, etc. are available.
物理路由器上可用的所有路由器监视功能都在虚拟路由器上可用。这包括“ping”和“traceroute”等实用程序。此外,还可以显示专用路由表、链路状态数据库等。
For the purposes of discussing performance and scaling issues, today's routers can be split into two planes: the routing (control) plane and the forwarding plane.
为了讨论性能和扩展问题,今天的路由器可以分为两个平面:路由(控制)平面和转发平面。
In looking at the routing plane, most modern-day routing protocols use some form of optimized calculation methodologies to calculate the shortest path(s) to end stations. For instance, OSPF and ISIS use the Djikstra algorithm while BGP uses the "Decision Process". These
在查看路由平面时,大多数现代路由协议使用某种形式的优化计算方法来计算到终端站的最短路径。例如,OSPF和ISIS使用Djikstra算法,而BGP使用“决策过程”。这些
algorithms are based on parsing the routing database and computing the best paths to end stations. The performance characteristics of any of these algorithms is based on either topological characteristics (ISIS and OSPF) or the number of ASs in the path to the destinations (BGP). But it is important to note that the overhead in setting up and beginning these calculations is very little for most any modern day router. This is because, although we refer to routing calculation input as "databases", these are memory resident data structures.
算法基于解析路由数据库和计算到终端站的最佳路径。这些算法的性能特征基于拓扑特征(ISIS和OSPF)或目的地路径(BGP)中的ASs数量。但重要的是要注意,对于大多数现代路由器来说,设置和开始这些计算的开销非常小。这是因为,尽管我们将路由计算输入称为“数据库”,但它们是内存驻留数据结构。
Therefore, the following conclusions can be drawn:
因此,可以得出以下结论:
1. Beginning a routing calculation for a routing domain is nothing more than setting up some registers to point to the right database objects.
1. 开始路由域的路由计算无非是设置一些寄存器以指向正确的数据库对象。
2. Based on 1, the performance of a given algorithm is not significantly worsened by the overhead required to set it up.
2. 基于1,给定算法的性能不会因设置它所需的开销而显著恶化。
3. Based on 2, it follows that, when a number of routing calculations for a number of virtual routers has to be performed by a physical router, the complexity of the resulting routing calculation is nothing more than the sum of the complexities of the routing calculations of the individual virtual routers.
3. 基于2,可以得出,当必须由物理路由器执行多个虚拟路由器的多个路由计算时,所得路由计算的复杂性只不过是各个虚拟路由器的路由计算的复杂性之和。
4. Based on 3, it follows that whether an overlay model is used or a virtual routing model is employed, the performance characteristics of a router are dependent purely on its hardware capabilities and the choice of data structures and algorithms.
4. 基于3,可以得出结论,无论是使用覆盖模型还是使用虚拟路由模型,路由器的性能特征完全取决于其硬件能力以及数据结构和算法的选择。
To illustrate, let's say a physical router houses N VPNs, all running some routing protocol say RP. Let's also suppose that the average performance of RP's routing calculation algorithm is f(X,Y) where x and y are parameters that determine performance of the algorithm for that routing protocol. As an example, for Djikstra algorithm users such as OSPF, X could be the number of nodes in the area while Y could be the number of links. The performance of an arbitrary VPN n is f (Xn, Yn). The performance of the (physical) router is the sum of f(Xi, Yi) for all values of i in 0 <= i <= N. This conclusion is independent of the chosen VPN approach (virtual router or overlay model).
举例来说,假设一个物理路由器拥有N个VPN,所有VPN都运行一些路由协议,比如RP。我们还假设RP的路由计算算法的平均性能为f(X,Y),其中X和Y是决定该路由协议算法性能的参数。例如,对于像OSPF这样的Djikstra算法用户,X可以是区域中的节点数,而Y可以是链路数。任意VPN的性能为f(Xn,Yn)。(物理)路由器的性能是0<=i<=N中所有i值的f(Xi,Yi)之和。该结论与所选VPN方法(虚拟路由器或覆盖模型)无关。
In the usual case, the forwarding plane has two inputs: the forwarding table and the packet header. The main performance parameter is the lookup algorithm. The very best performance one can get for a IP routing table lookup is by organizing the table as some form of a tree and use binary search methods to do the actual lookup. The performance of this algorithm is O(log n).
在通常情况下,转发平面有两个输入:转发表和数据包头。主要性能参数是查找算法。IP路由表查找的最佳性能是将表组织为某种形式的树,并使用二进制搜索方法进行实际查找。该算法的性能为O(logn)。
Hence, as long as the virtual routers' routing tables are distinct from each other, the lookup cost is constant for finding the routing table and O(log n) to find the entry. This is no worse or different from any router and no different from a router that employs overlay techniques to deliver VPN services. However, when the overlay router utilizes integration of multiple VPNs' routing tables, the performance is O(log m*n) where 'm' is the number of VPNs that the routing table holds routes for.
因此,只要虚拟路由器的路由表彼此不同,查找路由表的查找成本和查找条目的O(logn)成本都是恒定的。这与任何路由器都一样,也没有什么不同,与采用覆盖技术来提供VPN服务的路由器也没有什么不同。但是,当覆盖路由器利用多个VPN路由表的集成时,性能为O(log m*n),其中“m”是路由表为其保存路由的VPN数量。
The authors wish to thank Dave Ryan, Lucent Technologies for his invaluable in-depth review of this version of this memo.
作者希望感谢朗讯科技公司的Dave Ryan,他对本备忘录版本进行了宝贵的深入审查。
[Callon] Callon R., et al., "A Framework for Multiprotocol Label Switching", Work in Progress.
[Callon]Callon R.等人,“多协议标签交换框架”,正在进行中。
[Fox] Fox, B. and B. Gleeson,"Virtual Private Networks Identifier", RFC 2685, September 1999.
[Fox]Fox,B.和B.Gleeson,“虚拟专用网络标识符”,RFC 26851999年9月。
[Meyer] Meyer, D., "Administratively Scoped IP Multicast", RFC 2365, July 1998.
[Meyer]Meyer,D.,“管理范围的IP多播”,RFC 2365,1998年7月。
[Rosen1] Rosen, E. and Y. Rekhter, "BGP/MPLS VPNs", RFC 2547, March 1999.
[Rosen 1]Rosen,E.和Y.Rekhter,“BGP/MPLS VPN”,RFC 2547,1999年3月。
[Rosen2] Rosen E., Viswanathan, A. and R. Callon, "Multiprotocol Label Switching Architecture", Work in Progress.
[Rosen 2]Rosen E.,Viswanathan,A.和R.Callon,“多协议标签交换架构”,正在进行中。
Karthik Muthukrishnan Lucent Technologies 1 Robbins Road Westford, MA 01886
马萨诸塞州韦斯特福德罗宾斯路1号Karthik Muthukrishnan-Lucent Technologies 01886
Phone: (978) 952-1368 EMail: mkarthik@lucent.com
电话:(978)952-1368电子邮件:mkarthik@lucent.com
Andrew Malis Vivace Networks, Inc. 2730 Orchard Parkway San Jose, CA 95134
安德鲁·马里斯·维瓦塞网络公司,加利福尼亚州圣何塞市果园大道2730号,邮编95134
Phone: (408) 383-7223 EMail: Andy.Malis@vivacenetworks.com
电话:(408)383-7223电子邮件:安迪。Malis@vivacenetworks.com
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。