Network Working Group                                           E. Rosen
Request for Comments: 4577                                     P. Psenak
Updates: 4364                                          P. Pillay-Esnault
Category: Standards Track                            Cisco Systems, Inc.
                                                               June 2006
        
Network Working Group                                           E. Rosen
Request for Comments: 4577                                     P. Psenak
Updates: 4364                                          P. Pillay-Esnault
Category: Standards Track                            Cisco Systems, Inc.
                                                               June 2006
        

OSPF as the Provider/Customer Edge Protocol for BGP/MPLS IP Virtual Private Networks (VPNs)

OSPF作为BGP/MPLS IP虚拟专用网络(VPN)的提供商/客户边缘协议

Status of This Memo

关于下段备忘

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2006).

版权所有(C)互联网协会(2006年)。

Abstract

摘要

Many Service Providers offer Virtual Private Network (VPN) services to their customers, using a technique in which customer edge routers (CE routers) are routing peers of provider edge routers (PE routers). The Border Gateway Protocol (BGP) is used to distribute the customer's routes across the provider's IP backbone network, and Multiprotocol Label Switching (MPLS) is used to tunnel customer packets across the provider's backbone. This is known as a "BGP/MPLS IP VPN". The base specification for BGP/MPLS IP VPNs presumes that the routing protocol on the interface between a PE router and a CE router is BGP. This document extends that specification by allowing the routing protocol on the PE/CE interface to be the Open Shortest Path First (OSPF) protocol.

许多服务提供商使用客户边缘路由器(CE路由器)是提供商边缘路由器(PE路由器)的路由对等方的技术,向其客户提供虚拟专用网络(VPN)服务。边界网关协议(BGP)用于在提供商的IP主干网络上分发客户的路由,多协议标签交换(MPLS)用于在提供商的主干网络上传输客户数据包。这被称为“BGP/MPLS IP VPN”。BGP/MPLS IP VPN的基本规范假定PE路由器和CE路由器之间接口上的路由协议为BGP。本文档通过允许PE/CE接口上的路由协议成为开放最短路径优先(OSPF)协议来扩展该规范。

This document updates RFC 4364.

本文档更新了RFC 4364。

Table of Contents

目录

   1. Introduction ....................................................2
   2. Specification of Requirements ...................................3
   3. Requirements ....................................................4
   4. BGP/OSPF Interaction Procedures for PE Routers ..................6
      4.1. Overview ...................................................6
           4.1.1. VRFs and OSPF Instances .............................6
           4.1.2. VRFs and Routes .....................................6
           4.1.3. Inter-Area, Intra-Area, and External Routes .........7
           4.1.4. PEs and OSPF Area 0 .................................8
           4.1.5. Prevention of Loops .................................9
      4.2. Details ....................................................9
           4.2.1. Independent OSPF Instances in PEs ...................9
           4.2.2. Router ID ..........................................10
           4.2.3. OSPF Areas .........................................10
           4.2.4. OSPF Domain Identifiers ............................10
           4.2.5. Loop Prevention ....................................12
                  4.2.5.1. The DN Bit ................................12
                  4.2.5.2. Use of OSPF Route Tags ....................12
                  4.2.5.3. Other Possible Loops ......................13
           4.2.6. Handling LSAs from the CE ..........................14
           4.2.7. Sham Links .........................................16
                  4.2.7.1. Intra-Area Routes .........................16
                  4.2.7.2. Creating Sham Links .......................17
                  4.2.7.3. OSPF Protocol on Sham Links ...............18
                  4.2.7.4. Routing and Forwarding on Sham Links ......19
           4.2.8. VPN-IPv4 Routes Received via BGP ...................19
                  4.2.8.1. External Routes ...........................20
                  4.2.8.2. Summary Routes ............................22
                  4.2.8.3. NSSA Routes ...............................22
   5. IANA Considerations ............................................22
   6. Security Considerations ........................................23
   7. Acknowledgements ...............................................23
   8. Normative References ...........................................23
   9. Informative References .........................................24
        
   1. Introduction ....................................................2
   2. Specification of Requirements ...................................3
   3. Requirements ....................................................4
   4. BGP/OSPF Interaction Procedures for PE Routers ..................6
      4.1. Overview ...................................................6
           4.1.1. VRFs and OSPF Instances .............................6
           4.1.2. VRFs and Routes .....................................6
           4.1.3. Inter-Area, Intra-Area, and External Routes .........7
           4.1.4. PEs and OSPF Area 0 .................................8
           4.1.5. Prevention of Loops .................................9
      4.2. Details ....................................................9
           4.2.1. Independent OSPF Instances in PEs ...................9
           4.2.2. Router ID ..........................................10
           4.2.3. OSPF Areas .........................................10
           4.2.4. OSPF Domain Identifiers ............................10
           4.2.5. Loop Prevention ....................................12
                  4.2.5.1. The DN Bit ................................12
                  4.2.5.2. Use of OSPF Route Tags ....................12
                  4.2.5.3. Other Possible Loops ......................13
           4.2.6. Handling LSAs from the CE ..........................14
           4.2.7. Sham Links .........................................16
                  4.2.7.1. Intra-Area Routes .........................16
                  4.2.7.2. Creating Sham Links .......................17
                  4.2.7.3. OSPF Protocol on Sham Links ...............18
                  4.2.7.4. Routing and Forwarding on Sham Links ......19
           4.2.8. VPN-IPv4 Routes Received via BGP ...................19
                  4.2.8.1. External Routes ...........................20
                  4.2.8.2. Summary Routes ............................22
                  4.2.8.3. NSSA Routes ...............................22
   5. IANA Considerations ............................................22
   6. Security Considerations ........................................23
   7. Acknowledgements ...............................................23
   8. Normative References ...........................................23
   9. Informative References .........................................24
        
1. Introduction
1. 介绍

[VPN] describes a method by which a Service Provider (SP) can use its IP backbone to provide a VPN (Virtual Private Network) service to customers. In that method, a customer's edge devices (CE devices) are connected to the provider's edge routers (PE routers). If the CE device is a router, then the PE router may become a routing peer of the CE router (in some routing protocol) and may, as a result, learn the routes that lead to the CE's site and that need to be distributed to other PE routers that attach to the same VPN.

[VPN]描述了一种服务提供商(SP)可以使用其IP主干向客户提供VPN(虚拟专用网络)服务的方法。在该方法中,客户的边缘设备(CE设备)连接到提供商的边缘路由器(PE路由器)。如果CE设备是路由器,则PE路由器可以成为CE路由器的路由对等方(在某些路由协议中),并且因此可以了解通向CE站点的路由以及需要分发到连接到相同VPN的其他PE路由器的路由。

The PE routers that attach to a common VPN use BGP (Border Gateway Protocol) to distribute the VPN's routes to each other. A CE router can then learn the routes to other sites in the VPN by peering with its attached PE router in a routing protocol. CE routers at different sites do not, however, peer with each other.

连接到公共VPN的PE路由器使用BGP(边界网关协议)将VPN的路由分发给彼此。然后,CE路由器可以通过在路由协议中与其连接的PE路由器进行对等来学习到VPN中其他站点的路由。然而,不同站点的CE路由器并不相互对等。

It can be expected that many VPNs will use OSPF (Open Shortest Path First) as their IGP (Interior Gateway Protocol), i.e., the routing protocol used by a network for the distribution of internal routes within that network. This does not necessarily mean that the PE routers need to use OSPF to peer with the CE routers. Each site in a VPN can use OSPF as its intra-site routing protocol, while using, for example, BGP [BGP] or RIP (Routing Information Protocol) [RIP] to distribute routes to a PE router. However, it is certainly convenient, when OSPF is being used intra-site, to use it on the PE-CE link as well, and [VPN] explicitly allows this.

可以预期,许多VPN将使用OSPF(开放最短路径优先)作为其IGP(内部网关协议),即网络用于在该网络内分发内部路由的路由协议。这并不一定意味着PE路由器需要使用OSPF与CE路由器对等。VPN中的每个站点都可以使用OSPF作为其站点内路由协议,同时使用例如BGP[BGP]或RIP(路由信息协议)[RIP]将路由分发到PE路由器。然而,当OSPF在站点内部使用时,也可以在PE-CE链路上使用它,而且[VPN]明确允许这样做。

Like anything else, the use of OSPF on the PE-CE link has advantages and disadvantages. The disadvantage to using OSPF on the PE-CE link is that it gets the SP's PE router involved, however peripherally, in a VPN site's IGP. The advantages though are:

与其他任何事情一样,在PE-CE链路上使用OSPF也有优点和缺点。在PE-CE链路上使用OSPF的缺点是,在VPN站点的IGP中,它会使SP的PE路由器(无论是外围设备)参与其中。但优点是:

- The administrators of the CE router need not have any expertise in any routing protocol other than OSPF.

- CE路由器的管理员不需要具备OSPF以外的任何路由协议方面的专业知识。

- The CE routers do not need to have support for any routing protocols other than OSPF.

- CE路由器不需要支持OSPF以外的任何路由协议。

- If a customer is transitioning his network from a traditional OSPF backbone to the VPN service described in [VPN], the use of OSPF on the PE-CE link eases the transitional issues.

- 如果客户正在将其网络从传统的OSPF主干网过渡到[VPN]中描述的VPN服务,则在PE-CE链路上使用OSPF可以缓解过渡问题。

It seems likely that some SPs and their customers will resolve these trade-offs in favor of the use of OSPF on the PE-CE link. Thus, we need to specify the procedures that must be implemented by a PE router in order to make this possible. (No special procedures are needed in the CE router though; CE routers just run whatever OSPF implementations they may have.)

一些SP及其客户可能会通过在PE-CE链路上使用OSPF来解决这些权衡问题。因此,我们需要指定必须由PE路由器实现的过程,以便实现这一点。(不过CE路由器中不需要特殊程序;CE路由器只运行它们可能有的任何OSPF实现。)

2. Specification of Requirements
2. 需求说明

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

3. Requirements
3. 要求

Consider a set of VPN sites that are thought of as being in the same "OSPF domain". Two sites are considered to be in the same OSPF domain if it is intended that routes from one site to the other be considered intra-network routes. A set of OSPF sites in the same domain will almost certainly be a set of sites that together constitute an "intranet", each of which runs OSPF as its intra-site routing protocol.

考虑一组VPN站点,它们被认为是在同一个“OSPF域”中。如果打算将从一个站点到另一个站点的路由视为网络内路由,则将两个站点视为位于同一OSPF域中。同一域中的一组OSPF站点几乎肯定是一组站点,它们共同构成一个“内部网”,每个内部网都运行OSPF作为其站点内路由协议。

Per [VPN], the VPN routes are distributed among the PE routers by BGP. If the PE uses OSPF to distribute routes to the CE router, the standard procedures governing BGP/OSPF interactions [OSPFv2] would cause routes from one site to be delivered to another in type 5 LSAs (Link State Advertisements), as "AS-external" routes. This is undesirable; it would be much better to deliver such routes in type 3 LSAs (as inter-area routes), so that they can be distinguished from any "real" AS-external routes that may be circulating in the VPN (that is, so that they can be distinguished by OSPF from routes that really do not come from within the VPN). Hence, it is necessary for the PE routers to implement a modified version of the BGP/OSPF interaction procedures.

根据[VPN],VPN路由由BGP分布在PE路由器之间。如果PE使用OSPF将路由分配给CE路由器,则管理BGP/OSPF交互的标准程序[OSPFv2]将导致从一个站点到另一个站点的路由以类型5 LSA(链路状态公告)的形式作为“外部”路由交付。这是不可取的;最好在类型3 LSA中交付此类路由(作为区域间路由),以便将它们与任何可能在VPN中循环的“真实”外部路由区分开来(即,OSPF可以将它们与真正不来自VPN的路由区分开来)。因此,PE路由器有必要实现BGP/OSPF交互过程的修改版本。

In fact, we would like to have a very general set of procedures that allows a customer to replace a legacy private OSPF backbone easily with the VPN service. We would like this procedure to meet the following set of requirements:

事实上,我们希望有一套非常通用的程序,允许客户使用VPN服务轻松替换传统的专用OSPF主干网。我们希望该程序满足以下要求:

- The procedures should not make assumptions about the OSPF topology. In particular, it should not be assumed that customer sites are OSPF stub sites or NSSA (Not So Stubby Area) sites. Nor should it be assumed that a customer site contains only one OSPF area, or that it has no area 0 routers.

- 程序不应对OSPF拓扑进行假设。特别是,不应假设客户站点是OSPF存根站点或NSSA(并非如此存根区域)站点。也不应该假设客户站点只包含一个OSPF区域,或者没有区域0路由器。

- If VPN sites A and B are in the same OSPF domain, then routes from one should be presented to the other as OSPF intra-network routes. In general, this can be done by presenting such routes as inter-area routes in type 3 LSAs.

- 如果VPN站点A和B位于同一OSPF域中,则从一个站点到另一个站点的路由应显示为OSPF网络内路由。通常,这可以通过在类型3 LSA中将此类路由表示为区域间路由来实现。

Note that this allows two VPN sites to be connected via an "OSPF backdoor link". That is, one can have an OSPF link between the two sites that is used only when the VPN backbone is unavailable. (This would not be possible with the ordinary BGP/OSPF interaction procedures. The ordinary procedures would present routes via the VPN backbone as AS-external routes, and these could never be preferred to intra-network routes.) This may be very useful during a period of transition from a legacy OSPF backbone to a VPN backbone.

请注意,这允许通过“OSPF后门链接”连接两个VPN站点。也就是说,两个站点之间可以有一个OSPF链路,该链路仅在VPN主干不可用时使用。(这在普通BGP/OSPF交互过程中是不可能的。普通过程会将通过VPN主干的路由表示为外部路由,并且这些路由永远不会优先于网络内路由。)这在从传统OSPF主干向VPN主干过渡期间可能非常有用。

- It should be possible to make use of an "OSPF backdoor link" between two sites, even if the two sites are in the same OSPF area and neither of the routers attached to the inter-site backdoor link is an area 0 router. This can also be very useful during a transition period, and it eliminates any need to reconfigure the sites' routers to be ABRs (Area Border Routers).

- 即使两个站点位于同一OSPF区域,并且连接到站点间后门链路的路由器都不是区域0路由器,也应该可以在两个站点之间使用“OSPF后门链路”。这在过渡期内也非常有用,并且无需将站点的路由器重新配置为ABR(区域边界路由器)。

Assuming that it is desired to have the route via the VPN backbone be preferred to the backdoor route, the VPN backbone itself must be presented to the CE routers at each site as a link between the two PE routers to which the CE routers are respectively attached.

假设希望通过VPN主干的路由优先于后门路由,则VPN主干本身必须作为CE路由器分别连接到的两个PE路由器之间的链路呈现给每个站点的CE路由器。

- CE routers, connected to PE routers of the VPN service, may themselves function as OSPF backbone (area 0) routers. An OSPF backbone may even consist of several "segments" that are interconnected themselves only via the VPN service. In such a scenario, full intercommunication between sites connected to different segments of the OSPF backbone should still be possible.

- 连接到VPN服务的PE路由器的CE路由器本身可以作为OSPF主干(区域0)路由器。OSPF主干网甚至可能由几个“段”组成,这些“段”仅通过VPN服务相互连接。在这种情况下,连接到OSPF主干网不同段的站点之间的完全互通仍然是可能的。

- The transition from the legacy private OSPF backbone to the VPN service must be simple and straightforward. The transition is likely to be phased, such that customer sites are migrated one by one from the legacy private OSPF backbone to the VPN service. During the transition, any given site might be connected to the VPN service, to the legacy OSPF backbone, or to both. Complete connectivity among all such sites must be maintained.

- 从传统的专用OSPF主干网到VPN服务的转换必须简单明了。过渡可能分阶段进行,以便客户站点从传统的专用OSPF主干网一个接一个地迁移到VPN服务。在转换期间,任何给定站点都可能连接到VPN服务、传统OSPF主干网或两者。必须保持所有此类站点之间的完整连接。

Since the VPN service is to replace the legacy backbone, it must be possible, by suitable adjustment of the OSPF metrics, to make OSPF prefer routes that traverse the SP's VPN backbone to alternative routes that do not.

由于VPN服务将取代传统的主干网,因此必须能够通过适当调整OSPF指标,使OSPF更喜欢穿过SP VPN主干网的路由,而不是不穿过SP VPN主干网的替代路由。

- The OSPF metric assigned to a given route should be carried transparently over the VPN backbone.

- 分配给给定路由的OSPF指标应在VPN主干上透明地传输。

Routes from sites that are not in the same OSPF domain will appear as AS-external routes.

来自不在同一OSPF域中的站点的路由将显示为外部路由。

We presuppose familiarity with the contents of [OSPFv2], including the OSPF LSA types, and will refer without further exegesis to type 1, 2, 3, etc. LSAs. Familiarity with [VPN] is also presupposed.

我们假设熟悉[OSPFv2]的内容,包括OSPF LSA类型,并将参考类型1、2、3等LSA,无需进一步解释。熟悉[VPN]也是先决条件。

4. BGP/OSPF Interaction Procedures for PE Routers
4. PE路由器的BGP/OSPF交互过程
4.1. Overview
4.1. 概述
4.1.1. VRFs and OSPF Instances
4.1.1. VRFs和OSPF实例

A PE router that attaches to more than one OSPF domain MUST run an independent instance of OSPF for each domain. If the PE is running OSPF as its IGP (Interior Gateway Protocol), the instance of OSPF running as the IGP must be separate and independent from any other instance of OSPF that the PE is running. (Whether these instances are realized as separate processes or merely as separate contexts of a common process is an implementation matter.) Each interface that attaches to a VPN site belongs to no more than one OSPF instance.

连接到多个OSPF域的PE路由器必须为每个域运行一个独立的OSPF实例。如果PE将OSPF作为其IGP(内部网关协议)运行,则作为IGP运行的OSPF实例必须独立于PE运行的任何其他OSPF实例。(这些实例是作为单独的进程实现的,还是仅仅作为公共进程的单独上下文实现的,这是一个实现问题。)连接到VPN站点的每个接口只属于一个OSPF实例。

[VPN] defines the notion of a Per-Site Routing and Forwarding Table, or VRF. Each VRF is associated with a set of interfaces. If a VRF is associated with a particular interface, and that interface belongs to a particular OSPF instance, then that OSPF instance is said to be associated with the VRF. If two interfaces belong to the same OSPF instance, then both interfaces must be associated with the same VRF.

[VPN]定义了每站点路由和转发表(VRF)的概念。每个VRF与一组接口相关联。如果VRF与特定接口关联,并且该接口属于特定OSPF实例,则该OSPF实例被称为与VRF关联。如果两个接口属于同一个OSPF实例,则两个接口必须与同一个VRF相关联。

If an interface attaches a PE to a CE, and that interface is associated with a VRF, we will speak of the CE as being associated with the VRF.

如果接口将PE连接到CE,并且该接口与VRF关联,则我们将CE称为与VRF关联。

4.1.2. VRFs and Routes
4.1.2. VRF和路线

OSPF is used to distribute routes from a CE to a PE. The standard OSPF decision process is used to install the best OSPF-distributed routes in the VRF.

OSPF用于分配从CE到PE的路由。标准OSPF决策过程用于在VRF中安装最佳OSPF分布式路由。

Per [VPN], BGP is used to distribute VPN-IPv4 routes among PE routers. An OSPF route installed in a VRF may be "exported" by being redistributed into BGP as a VPN-IPv4 route. It may then be distributed by BGP to other PEs. At the other PEs, a VPN-IPv4 route may be "imported" by a VRF and may then be redistributed into one or more of the OSPF instances associated with that VRF.

根据[VPN],BGP用于在PE路由器之间分配VPN-IPv4路由。安装在VRF中的OSPF路由可以作为VPN-IPv4路由重新分发到BGP中,从而“导出”。然后,BGP可将其分发给其他PE。在其他PE,VPN-IPv4路由可由VRF“导入”,然后可重新分配到与该VRF相关联的一个或多个OSPF实例中。

Import from and export to particular VRFs is controlled by the use of the Route Target Extended Communities attribute (or, more simply, Route Target or RT), as specified in [VPN].

从特定VRF导入和导出到特定VRF由[VPN]中指定的路由目标扩展社区属性(或者更简单地说,路由目标或RT)的使用控制。

A VPN-IPv4 route is "eligible for import" into a particular VRF if its Route Target is identical to one of the VRF's import Route Targets. The standard BGP decision process is used to select, from among the routes eligible for import, the set of VPN-IPv4 routes to be "installed" in the VRF.

如果VPN-IPv4路由目标与某个VRF的导入路由目标相同,则该路由“有资格导入”特定VRF。标准BGP决策流程用于从符合导入条件的路由中选择要在VRF中“安装”的VPN-IPv4路由集。

If a VRF contains both an OSPF-distributed route and a VPN-IPv4 route for the same IPv4 prefix, then the OSPF-distributed route is preferred. In general, this means that forwarding is done according to the OSPF route. The one exception to this rule has to do with the "sham link". If the next hop interface for an installed (OSPF-distributed) route is the sham link, forwarding is done according to a corresponding BGP route. This is detailed in Section 4.2.7.4.

如果VRF包含同一IPv4前缀的OSPF分布式路由和VPN-IPv4路由,则首选OSPF分布式路由。通常,这意味着根据OSPF路由进行转发。这条规则的一个例外与“假链接”有关。如果已安装(OSPF分布式)路由的下一跳接口是假链路,则根据相应的BGP路由进行转发。第4.2.7.4节对此进行了详细说明。

To meet the requirements of Section 3, a PE that installs a particular route into a particular VRF needs to know whether that route was originally an OSPF route and, if so, whether the OSPF instance from which it was redistributed into BGP is in the same domain as the OSPF instances into which the route may be redistributed. Therefore, a domain identifier is encoded as a BGP Extended Communities attribute [EXTCOMM] and distributed by BGP along with the VPN-IPv4 route. The route's OSPF metric and OSPF route type are also carried as BGP attributes of the route.

为了满足第3节的要求,将特定路由安装到特定VRF中的PE需要知道该路由是否最初是OSPF路由,如果是,则需要知道将该路由重新分发到BGP中的OSPF实例是否与将该路由重新分发到的OSPF实例位于同一域中。因此,域标识符被编码为BGP扩展社区属性[EXTCOMM],并由BGP与VPN-IPv4路由一起分发。路由的OSPF度量和OSPF路由类型也作为路由的BGP属性携带。

4.1.3. Inter-Area, Intra-Area, and External Routes
4.1.3. 区域间、区域内和外部路由

If a PE installs a particular VPN-IPv4 route (learned via BGP) in a VRF, and if this is the preferred BGP route for the corresponding IPv4 prefix, the corresponding IPv4 route is then "eligible for redistribution" into each OSPF instance that is associated with the VRF. As a result, it may be advertised to each CE in an LSA.

如果PE在VRF中安装了特定的VPN-IPv4路由(通过BGP学习),并且这是相应IPv4前缀的首选BGP路由,则相应的IPv4路由“有资格重新分配”到与VRF关联的每个OSPF实例中。结果,可以向LSA中的每个CE通告它。

Whether a route that is eligible for redistribution into OSPF is actually redistributed into a particular OSPF instance may depend upon the configuration. For instance, the PE may be configured to distribute only the default route into a given OSPF instance. In this case, the routes that are eligible for redistribution would not actually be redistributed.

符合重新分配到OSPF的条件的路由是否实际重新分配到特定OSPF实例可能取决于配置。例如,PE可以被配置为仅将默认路由分发到给定的OSPF实例中。在这种情况下,符合重新分配条件的路由实际上不会被重新分配。

In the following, we discuss the procedures for redistributing a BGP-distributed VPN-IPv4 route into OSPF; these are the procedures to be followed whenever such a route is eligible to be redistributed into OSPF and the configuration does not prevent such redistribution.

下面,我们将讨论将BGP分布式VPN-IPv4路由重新分配到OSPF的过程;当此类路由有资格重新分配到OSPF中且配置不阻止此类重新分配时,应遵循以下程序。

If the route is from an OSPF domain different from that of the OSPF instance into which it is being redistributed, or if the route is not from an OSPF domain at all, then the route is considered an external route.

如果路由来自不同于其被重新分配到的OSPF实例的OSPF域,或者如果路由根本不是来自OSPF域,则该路由被视为外部路由。

If the route is from the same OSPF domain as the OSPF instance into which it is being redistributed, and if it was originally advertised to a PE as an OSPF external route or an OSPF NSSA route, it will be treated as an external route. Following the normal OSPF procedures, external routes may be advertised to the CE in type 5 LSAs, or in

如果该路由与重新分发到的OSPF实例来自同一个OSPF域,并且如果它最初作为OSPF外部路由或OSPF NSSA路由向PE播发,则它将被视为外部路由。按照正常的OSPF程序,外部路由可以在类型5 LSA中或在

type 7 LSAs, or not at all, depending on the type of area to which the PE/CE link belongs.

根据PE/CE链路所属区域的类型,是否输入7类LSA。

If the route is from the same OSPF domain as the OSPF instance into which it is being redistributed, and if it was originally advertised to a PE as an inter-area or intra-area route, the route will generally be advertised to the CE as an inter-area route (in a type 3 LSA).

如果该路由来自与将其重新分发到其中的OSPF实例相同的OSPF域,并且如果该路由最初作为区域间或区域内路由通告给PE,则该路由通常将作为区域间路由通告给CE(在类型3 LSA中)。

As a special case, suppose that PE1 attaches to CE1, and that PE2 attaches to CE2, where:

作为特例,假设PE1连接到CE1,PE2连接到CE2,其中:

- the OSPF instance containing the PE1-CE1 link and the OSPF instance containing the PE2-CE2 link are in the same OSPF domain, and

- 包含PE1-CE1链路的OSPF实例和包含PE2-CE2链路的OSPF实例位于同一OSPF域中,并且

- the PE1-CE1 and PE2-CE2 links are in the same OSPF area A (as determined by the configured OSPF area number),

- PE1-CE1和PE2-CE2链路位于同一OSPF区域A中(由配置的OSPF区域号确定),

then, PE1 may flood to CE1 a type 1 LSA advertising a link to PE2, and PE2 may flood to CE2 a type 1 LSA advertising a link to PE1. The link advertised in these LSAs is known as a "sham link", and it is advertised as a link in area A. This makes it look to routers within area A as if the path from CE1 to PE1 across the service provider's network to PE2 to CE2 is an intra-area path. Sham links are an OPTIONAL feature of this specification and are used only when it is necessary to have the service provider's network treated as an intra-area link. See Section 4.2.7 for further details about the sham link.

然后,PE1可以向CE1泛洪发送类型1 LSA,该类型1 LSA宣传到PE2的链路,并且PE2可以向CE2泛洪发送类型1 LSA,该类型1 LSA宣传到PE1的链路。在这些LSA中公布的链路称为“假链路”,并在区域a中公布为链路。这使得它看起来像是在区域a内的路由器,就好像服务提供商网络上从CE1到PE1到PE2到CE2的路径是区域内路径一样。假链路是本规范的可选特性,仅在需要将服务提供商的网络视为区域内链路时使用。有关假链接的更多详细信息,请参见第4.2.7节。

The precise details by which a PE determines the type of LSA used to advertise a particular route to a CE are specified in Section 4.2.8. Note that if the VRF is associated with multiple OSPF instances, the type of LSA used to advertise the route might be different in different instances.

第4.2.8节规定了PE确定用于向CE公布特定路线的LSA类型的确切细节。请注意,如果VRF与多个OSPF实例关联,则用于公布路由的LSA类型在不同实例中可能不同。

Note that if a VRF is associated with several OSPF instances, a given route may be redistributed into some or all of those OSPF instances, depending on the characteristics of each instance. If redistributed into two or more OSPF instances, it may be advertised within each instance using a different type of LSA, again depending on the characteristics of each instance.

请注意,如果VRF与多个OSPF实例相关联,则根据每个实例的特征,可以将给定路由重新分配到这些OSPF实例中的一些或所有实例中。如果将其重新分发到两个或多个OSPF实例中,则可以使用不同类型的LSA在每个实例中进行广告,这同样取决于每个实例的特征。

4.1.4. PEs and OSPF Area 0
4.1.4. PEs和OSPF区域0

Within a given OSPF domain, a PE may attach to multiple CEs. Each PE/CE link is assigned (by configuration) to an OSPF area. Any link can be assigned to any area, including area 0.

在给定的OSPF域内,PE可以连接到多个CE。每个PE/CE链路(通过配置)分配给OSPF区域。可以将任何链接指定给任何区域,包括区域0。

If a PE attaches to a CE via a link that is in a non-zero area, then the PE serves as an ABR for that area.

如果PE通过非零区域中的链路连接到CE,则PE用作该区域的ABR。

PEs can thus be considered OSPF "area 0 routers", i.e., they can be considered part of the "OSPF backbone". Thus, they are allowed to distribute inter-area routes to the CE via Type 3 LSAs.

因此,PE可以被视为OSPF“0区路由器”,即,它们可以被视为“OSPF主干网”的一部分。因此,允许他们通过类型3 LSA向CE分配区域间路由。

If the OSPF domain has any area 0 routers other than the PE routers, then at least one of those MUST be a CE router and MUST have an area 0 link to at least one PE router. This adjacency MAY be via an OSPF virtual link. (The ability to use an OSPF virtual link in this way is an OPTIONAL feature.) This is necessary to ensure that inter-area routes and AS-external routes can be leaked between the PE routers and the non-PE OSPF backbone.

如果OSPF域具有PE路由器以外的任何区域0路由器,则其中至少一个必须是CE路由器,并且必须具有到至少一个PE路由器的区域0链路。这种邻接可以通过OSPF虚拟链路实现。(以这种方式使用OSPF虚拟链路的能力是可选功能。)这对于确保PE路由器和非PE OSPF主干网之间的区域间路由和AS外部路由可能泄漏是必要的。

Two sites that are not in the same OSPF area will see the VPN backbone as being an integral part of the OSPF backbone. However, if there are area 0 routers that are NOT PE routers, then the VPN backbone actually functions as a sort of higher-level backbone, providing a third level of hierarchy above area 0. This allows a legacy OSPF backbone to become disconnected during a transition period, as long as the various segments all attach to the VPN backbone.

不在同一OSPF区域的两个站点将把VPN主干视为OSPF主干不可分割的一部分。但是,如果存在不是PE路由器的区域0路由器,则VPN主干实际上可以作为一种更高级别的主干,提供区域0之上的第三级层次结构。这允许传统OSPF主干在过渡期间断开连接,只要各个网段都连接到VPN主干。

4.1.5. Prevention of Loops
4.1.5. 环路的预防

If a route sent from a PE router to a CE router could then be received by another PE router from one of its own CE routers, it would be possible for routing loops to occur. To prevent this, a PE sets the DN bit [OSPF-DN] in any LSA that it sends to a CE, and a PE ignores any LSA received from a CE that already has the DN bit sent. Older implementations may use an OSPF Route Tag instead of the DN bit, in some cases. See Sections 4.2.5.1 and 4.2.5.2.

如果从一个PE路由器发送到一个CE路由器的路由可以被另一个PE路由器从它自己的一个CE路由器接收,那么路由循环就有可能发生。为了防止这种情况,PE在其发送给CE的任何LSA中设置DN位[OSPF-DN],并且PE忽略从已发送DN位的CE接收的任何LSA。在某些情况下,较旧的实现可能使用OSPF路由标记而不是DN位。见第4.2.5.1节和第4.2.5.2节。

4.2. Details
4.2. 细节
4.2.1. Independent OSPF Instances in PEs
4.2.1. PEs中的独立OSPF实例

The PE MUST support one OSPF instance for each OSPF domain to which it attaches. These OSPF instances function independently and do not leak routes to each other. Each instance of OSPF MUST be associated with a single VRF. If n CEs associated with that VRF are running OSPF on their respective PE/CE links, then those n CEs are OSPF adjacencies of the PE in the corresponding instance of OSPF.

PE必须为其连接的每个OSPF域支持一个OSPF实例。这些OSPF实例独立运行,不会相互泄漏路由。OSPF的每个实例必须与单个VRF关联。如果与该VRF相关联的n个CE在其各自的PE/CE链路上运行OSPF,则这些n个CE是OSPF的相应实例中的PE的OSPF邻接。

Generally, though not necessarily, if the PE attaches to several CEs in the same OSPF domain, it will associate the interfaces to those PEs with a single VRF.

通常,虽然不一定,但如果PE连接到同一OSPF域中的多个CE,它会将这些PE的接口与单个VRF相关联。

4.2.2. Router ID
4.2.2. 路由器标识

If a PE and a CE are communicating via OSPF, the PE will have an OSPF Router ID that is valid (i.e., unique) within the OSPF domain. More precisely, each OSPF instance has a Router ID. Different OSPF instances may have different Router IDs.

如果PE和CE通过OSPF通信,则PE将具有OSPF域内有效(即唯一)的OSPF路由器ID。更准确地说,每个OSPF实例都有一个路由器ID。不同的OSPF实例可能有不同的路由器ID。

4.2.3. OSPF Areas
4.2.3. OSPF区域

A PE-CE link may be in any area, including area 0; this is a matter of the OSPF configuration.

PE-CE链路可以位于任何区域,包括区域0;这是OSPF配置的问题。

If a PE has a link that belongs to a non-zero area, the PE functions as an Area Border Router (ABR) for that area.

如果一个PE有一个属于非零区域的链路,则该PE充当该区域的区域边界路由器(ABR)。

PEs do not pass along the link state topology from one site to another (except in the case where a sham link is used; see Section 4.2.7).

PEs不会沿着链路状态拓扑从一个站点传递到另一个站点(使用假链路的情况除外;参见第4.2.7节)。

Per [OSPFv2, Section 3.1], "the OSPF backbone always contains all area border routers". The PE routers are therefore considered area 0 routers. Section 3.1 of [OSPFv2] also requires that area 0 be contiguous. It follows that if the OSPF domain has any area 0 routers other than the PE routers, at least one of those MUST be a CE router, and it MUST have an area 0 link (possibly a virtual link) to at least one PE router.

根据[OSPFv2,第3.1节],“OSPF主干网始终包含所有区域边界路由器”。因此,PE路由器被视为区域0路由器。[OSPFv2]第3.1节还要求0区相邻。因此,如果OSPF域具有除PE路由器以外的任何区域0路由器,则其中至少一个必须是CE路由器,并且必须具有到至少一个PE路由器的区域0链路(可能是虚拟链路)。

4.2.4. OSPF Domain Identifiers
4.2.4. OSPF域标识符

Each OSPF instance MUST be associated with one or more Domain Identifiers. This MUST be configurable, and the default value (if none is configured) SHOULD be NULL.

每个OSPF实例必须与一个或多个域标识符相关联。这必须是可配置的,默认值(如果未配置)应为空。

If an OSPF instance has multiple Domain Identifiers, one of these is considered its "primary" Domain Identifier; this MUST be determinable by configuration. If an OSPF instance has exactly one Domain Identifier, this is of course its primary Domain Identifier. If an OSPF instance has more than one Domain Identifier, the NULL Domain Identifier MUST NOT be one of them.

如果一个OSPF实例有多个域标识符,其中一个被认为是其“主”域标识符;这必须通过配置来确定。如果一个OSPF实例只有一个域标识符,那么这当然是它的主域标识符。如果OSPF实例具有多个域标识符,则空域标识符不能是其中之一。

If a route is installed in a VRF by a particular OSPF instance, the primary Domain Identifier of that OSPF instance is considered the route's Domain Identifier.

如果路由由特定OSPF实例安装在VRF中,则该OSPF实例的主域标识符被视为路由的域标识符。

Consider a route, R, that is installed in a VRF by OSPF instance I1, then redistributed into BGP as a VPN-IPv4 route, and then installed by BGP in another VRF. If R needs to be redistributed into OSPF instance I2, associated with the latter VRF, the way in which R is

考虑由OSPF实例I1安装在VRF中的路由R,然后作为VPN-IPv4路由重新分配到BGP中,然后由BGP安装在另一个VRF中。如果R需要重新分配到OSPF实例I2中,并与后一个VRF关联,则R的分配方式为

advertised in I2 will depend upon whether R's Domain Identifier is one of I2's Domain Identifiers. If R's Domain Identifier is not one of I2's Domain Identifiers, then, if R is redistributed into I2, R will be advertised as an AS-external route, no matter what its OSPF route type is. If, on the other hand, R's Domain Identifier is one of I2's Domain Identifiers, how R is advertised will depend upon R's OSPF route type.

I2中的广告将取决于R的域标识符是否是I2的域标识符之一。如果R的域标识符不是I2的域标识符之一,那么,如果R被重新分配到I2中,则R将作为as外部路由播发,无论其OSPF路由类型是什么。另一方面,如果R的域标识符是I2的域标识符之一,则R的广告方式将取决于R的OSPF路由类型。

If two OSPF instances are in the same OSPF domain, then either:

如果两个OSPF实例位于同一OSPF域中,则:

1. They both have the NULL Domain Identifier, OR

1. 它们都具有空域标识符,或者

2. Each OSPF instance has the primary Domain Identifier of the other as one of its own Domain Identifiers.

2. 每个OSPF实例都将另一个实例的主域标识符作为其自己的域标识符之一。

If two OSPF instances are in different OSPF domains, then either:

如果两个OSPF实例位于不同的OSPF域中,则:

3. They both have the NULL Domain Identifier, OR

3. 它们都具有空域标识符,或者

4. Neither OSPF instance has the Primary Domain Identifier of the other as one of its own Domain Identifiers.

4. 两个OSPF实例都没有另一个实例的主域标识符作为其自己的域标识符之一。

(Note that if two OSPF instances each have the NULL Domain Identifier, we cannot tell from the Domain Identifier whether they are in the same OSPF Domain. If they are in different domains, and if routes from one are distributed into the other, the routes will appear as intra-network routes, which may not be what is intended.)

(请注意,如果两个OSPF实例各自具有空域标识符,我们无法从域标识符判断它们是否在同一个OSPF域中。如果它们在不同的域中,并且如果一个实例的路由分布到另一个实例,则路由将显示为网络内路由,这可能不是预期的。)

A Domain Identifier is an eight-byte quantity that is a valid BGP Extended Communities attribute, as specified in Section 4.2.4. If a particular OSPF instance has a non-NULL Domain Identifier, when routes from that OSPF instance are distributed by BGP as VPN-IPv4 routes, the routes MUST carry the Domain Identifier Extended Communities attribute that corresponds to the OSPF instance's Primary Domain Identifier. If the OSPF instance's Domain Identifier is NULL, the Domain Identifier Extended Communities attribute MAY be omitted when routes from that OSPF instance are distributed by BGP; alternatively, a value of the Domain Identifier Extended Communities attribute that represents NULL (see Section 4.2.4) MAY be carried with the route.

域标识符是一个8字节的数量,是有效的BGP扩展社区属性,如第4.2.4节所述。如果特定OSPF实例具有非空域标识符,则当BGP将来自该OSPF实例的路由作为VPN-IPv4路由分发时,这些路由必须带有与OSPF实例的主域标识符相对应的域标识符扩展社区属性。如果OSPF实例的域标识符为空,则BGP分发来自该OSPF实例的路由时,可以省略“域标识符扩展社区”属性;或者,表示NULL的域标识符扩展社区属性的值(参见第4.2.4节)可以与路由一起携带。

If the OSPF instances of an OSPF domain are given one or more non-NULL Domain Identifiers, this procedure allows us to determine whether a particular OSPF-originated VPN-IPv4 route belongs to the same domain as a given OSPF instance. We can then determine whether the route should be redistributed to that OSPF instance as an inter-area route or as an OSPF AS-external route. Details can be found in Sections 4.2.4 and 4.2.8.1.

如果向OSPF域的OSPF实例提供了一个或多个非空域标识符,则此过程允许我们确定源自OSPF的特定VPN-IPv4路由是否属于与给定OSPF实例相同的域。然后,我们可以确定该路由是作为区域间路由还是作为外部路由重新分配给该OSPF实例。详情见第4.2.4节和第4.2.8.1节。

4.2.5. Loop Prevention
4.2.5. 环路预防
4.2.5.1. The DN Bit
4.2.5.1. DN位

When a type 3 LSA is sent from a PE router to a CE router, the DN bit [OSPF-DN] in the LSA Options field MUST be set. This is used to ensure that if any CE router sends this type 3 LSA to a PE router, the PE router will not redistribute it further.

当类型3 LSA从PE路由器发送到CE路由器时,必须设置LSA选项字段中的DN位[OSPF-DN]。这用于确保如果任何CE路由器将此类型3 LSA发送到PE路由器,则PE路由器不会进一步重新分发它。

When a PE router needs to distribute to a CE router a route that comes from a site outside the latter's OSPF domain, the PE router presents itself as an ASBR (Autonomous System Border Router), and distributes the route in a type 5 LSA. The DN bit [OSPF-DN] MUST be set in these LSAs to ensure that they will be ignored by any other PE routers that receive them.

当PE路由器需要将来自CE路由器的OSPF域之外的站点的路由分发给CE路由器时,PE路由器将自身呈现为ASBR(自治系统边界路由器),并将路由分发到类型5 LSA中。必须在这些LSA中设置DN位[OSPF-DN],以确保接收它们的任何其他PE路由器将忽略它们。

There are deployed implementations that do not set the DN bit, but instead use OSPF route tagging to ensure that a type 5 LSA generated by a PE router will be ignored by any other PE router that may receive it. A special OSPF route tag, which we will call the VPN Route Tag (see Section 4.2.5.2), is used for this purpose. To ensure backward compatibility, all implementations adhering to this specification MUST by default support the VPN Route Tag procedures specified in Sections 4.2.5.2, 4.2.8.1, and 4.2.8.2. When it is no longer necessary to use the VPN Route Tag in a particular deployment, its use (both sending and receiving) may be disabled by configuration.

有些已部署的实现不设置DN位,而是使用OSPF路由标记来确保PE路由器生成的5类LSA将被可能接收它的任何其他PE路由器忽略。为此,使用了一个特殊的OSPF路由标签,我们称之为VPN路由标签(见第4.2.5.2节)。为确保向后兼容性,遵守本规范的所有实现在默认情况下必须支持第4.2.5.2、4.2.8.1和4.2.8.2节中规定的VPN路由标记程序。当在特定部署中不再需要使用VPN路由标记时,可以通过配置禁用其使用(发送和接收)。

4.2.5.2. Use of OSPF Route Tags
4.2.5.2. OSPF路由标签的使用

If a particular VRF in a PE is associated with an instance of OSPF, then by default it MUST be configured with a special OSPF route tag value, which we call the VPN Route Tag. By default, this route tag MUST be included in the Type 5 LSAs that the PE originates (as the result of receiving a BGP-distributed VPN-IPv4 route, see Section 4.2.8) and sends to any of the attached CEs.

如果PE中的特定VRF与OSPF实例关联,则默认情况下,它必须配置一个特殊的OSPF路由标记值,我们称之为VPN路由标记。默认情况下,此路由标签必须包含在PE发起的类型5 LSA中(作为接收BGP分布式VPN-IPv4路由的结果,请参见第4.2.8节),并发送到任何连接的CE。

The configuration and inclusion of the VPN Route Tag is required for backward compatibility with deployed implementations that do not set the DN bit in type 5 LSAs. The inclusion of the VPN Route Tag may be disabled by configuration if it has been determined that it is no longer needed for backward compatibility.

需要配置和包含VPN路由标记,以便与未在类型5 LSA中设置DN位的已部署实现向后兼容。如果已确定不再需要VPN路由标记以实现向后兼容性,则可通过配置禁用VPN路由标记的包含。

The value of the VPN Route Tag is arbitrary but must be distinct from any OSPF Route Tag being used within the OSPF domain. Its value MUST therefore be configurable. If the Autonomous System number of the VPN backbone is two bytes long, the default value SHOULD be an automatically computed tag based on that Autonomous System number:

VPN路由标记的值是任意的,但必须与OSPF域中使用的任何OSPF路由标记不同。因此,其值必须是可配置的。如果VPN主干网的自治系统号为两个字节长,则默认值应为基于该自治系统号自动计算的标签:

   Tag = <Automatic = 1, Complete = 1, PathLength = 01>
        
   Tag = <Automatic = 1, Complete = 1, PathLength = 01>
        
       0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |1|1|0|1|     ArbitraryTag      |       AutonomousSystem        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
       0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |1|1|0|1|     ArbitraryTag      |       AutonomousSystem        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 _AS number of the VPN Backbone_

110 100 0 0 0 0 0 0 0 0 0作为VPN主干网的编号_

If the Autonomous System number is four bytes long, then a Route Tag value MUST be configured, and it MUST be distinct from any Route Tag used within the VPN itself.

如果自治系统编号为四个字节长,则必须配置路由标记值,并且必须与VPN本身中使用的任何路由标记不同。

If a PE router needs to use OSPF to distribute to a CE router a route that comes from a site outside the CE router's OSPF domain, the PE router SHOULD present itself to the CE router as an Autonomous System Border Router (ASBR) and SHOULD report such routes as AS-external routes. That is, these PE routers originate Type 5 LSAs reporting the extra-domain routes as AS-external routes. Each such Type 5 LSA MUST contain an OSPF route tag whose value is that of the VPN Route Tag. This tag identifies the route as having come from a PE router. The VPN Route Tag MUST be used to ensure that a Type 5 LSA originated by a PE router is not redistributed through the OSPF area to another PE router.

如果PE路由器需要使用OSPF向CE路由器分发来自CE路由器OSPF域外站点的路由,则PE路由器应将自身作为自主系统边界路由器(ASBR)呈现给CE路由器,并应将此类路由报告为外部路由。也就是说,这些PE路由器发起类型5 LSA,将额外域路由报告为外部路由。每个此类类型5 LSA必须包含一个OSPF路由标记,其值为VPN路由标记的值。此标签将路由标识为来自PE路由器。VPN路由标签必须用于确保PE路由器发起的5类LSA不会通过OSPF区域重新分配到另一个PE路由器。

4.2.5.3. Other Possible Loops
4.2.5.3. 其他可能的循环

The procedures specified in this document ensure that if routing information derived from a BGP-distributed VPN-IPv4 route is distributed into OSPF, it cannot be redistributed back into BGP as a VPN-IPv4 route, as long as the DN bit and/or VPN route tag is maintained within the OSPF domain. This does not eliminate all possible sources of loops. For example, if a BGP VPN-IPv4 route is distributed into OSPF, then distributed into RIP (where all the information needed to prevent looping is lost), and then distributed back into OSPF, then it is possible that it could be distributed back into BGP as a VPN-IPv4 route, thereby causing a loop.

本文档中规定的程序确保,如果从BGP分布式VPN-IPv4路由派生的路由信息分发到OSPF中,则只要在OSPF域中维护DN位和/或VPN路由标记,就不能将其作为VPN-IPv4路由重新分发回BGP。这并不能消除所有可能的循环源。例如,如果BGP VPN-IPv4路由被分发到OSPF中,然后分发到RIP中(在RIP中,防止循环所需的所有信息都丢失),然后再分发回OSPF,那么它可能作为VPN-IPv4路由被分发回BGP,从而导致循环。

Therefore, extreme care must be taken if there is any mutual redistribution of routes between the OSPF domain and any third routing domain (i.e., not the VPN backbone). If the third routing domain is a BGP domain (e.g., the public Internet), the ordinary BGP loop prevention measures will prevent the route from reentering the OSPF domain.

因此,如果OSPF域和任何第三个路由域(即,不是VPN主干网)之间存在路由的相互重新分配,则必须格外小心。如果第三个路由域是BGP域(例如,公共互联网),则普通BGP环路预防措施将防止路由重新进入OSPF域。

4.2.6. Handling LSAs from the CE
4.2.6. 处理来自CE的LSA

This section specifies the way in which a PE router handles the OSPF LSAs it receives from a CE router.

本节指定PE路由器处理从CE路由器接收的OSPF LSA的方式。

When a PE router receives, from a CE router, any LSA with the DN bit [OSPF-DN] set, the information from that LSA MUST NOT be used by the route calculation. If a Type 5 LSA is received from the CE, and if it has an OSPF route tag value equal to the VPN Route Tag (see Section 4.2.5.2), then the information from that LSA MUST NOT be used by the route calculation.

当PE路由器从CE路由器接收到设置了DN位[OSPF-DN]的任何LSA时,路由计算不得使用来自该LSA的信息。如果从CE接收到类型5 LSA,且其OSPF路由标签值等于VPN路由标签(参见第4.2.5.2节),则路由计算不得使用来自该LSA的信息。

Otherwise, the PE must examine the corresponding VRF. For every address prefix that was installed in the VRF by one of its associated OSPF instances, the PE must create a VPN-IPv4 route in BGP. Each such route will have some of the following Extended Communities attributes:

否则,PE必须检查相应的VRF。对于由其关联的OSPF实例之一安装在VRF中的每个地址前缀,PE必须在BGP中创建VPN-IPv4路由。每条此类路线将具有以下一些扩展社区属性:

- The OSPF Domain Identifier Extended Communities attribute. If the OSPF instance that installed the route has a non-NULL primary Domain Identifier, this MUST be present; if that OSPF instance has only a NULL Domain Identifier, it MAY be omitted. This attribute is encoded with a two-byte type field, and its type is 0005, 0105, or 0205. For backward compatibility, the type 8005 MAY be used as well and is treated as if it were 0005. If the OSPF instance has a NULL Domain Identifier, and the OSPF Domain Identifier Extended Communities attribute is present, then the attribute's value field must be all zeroes, and its type field may be any of 0005, 0105, 0205, or 8005.

- OSPF域标识符扩展社区属性。如果安装路由的OSPF实例具有非空主域标识符,则必须存在该标识符;如果该OSPF实例只有一个空域标识符,则可以省略它。此属性使用两字节类型字段编码,其类型为0005、0105或0205。为了向后兼容,也可以使用8005型,并将其视为0005型。如果OSPF实例具有空域标识符,并且存在OSPF域标识符扩展社区属性,则该属性的值字段必须全部为零,其类型字段可以是0005、0105、0205或8005中的任意一个。

- OSPF Route Type Extended Communities Attribute. This attribute MUST be present. It is encoded with a two-byte type field, and its type is 0306. To ensure backward compatibility, the type 8000 SHOULD be accepted as well and treated as if it were type 0306. The remaining six bytes of the Attribute are encoded as follows:

- OSPF路由类型扩展社区属性。此属性必须存在。它用一个双字节类型字段编码,其类型为0306。为确保向后兼容性,8000型也应被接受,并将其视为0306型。属性的其余六个字节编码如下:

            +-------+-------+-------+-------+-------+-------+
            |        Area Number            | Route |Options|
            |                               | Type  |       |
            +-------+-------+-------+-------+-------+-------+
        
            +-------+-------+-------+-------+-------+-------+
            |        Area Number            | Route |Options|
            |                               | Type  |       |
            +-------+-------+-------+-------+-------+-------+
        

* Area Number: 4 bytes, encoding a 32-bit area number. For AS-external routes, the value is 0. A non-zero value identifies the route as being internal to the OSPF domain, and as being within the identified area. Area numbers are relative to a particular OSPF domain.

* 区域编号:4字节,编码32位区域编号。对于AS外部管线,该值为0。非零值将路由标识为OSPF域内部的路由,以及标识的区域内的路由。区域编号与特定OSPF域相关。

* OSPF Route Type: 1 byte, encoded as follows:

* OSPF路由类型:1字节,编码如下:

** 1 or 2 for intra-area routes (depending on whether the route came from a type 1 or a type 2 LSA).

**区域内路由为1或2(取决于路由来自类型1还是类型2 LSA)。

** 3 for inter-area routes.

**3区域间路线。

** 5 for external routes (area number must be 0).

**外部路线为5(区域编号必须为0)。

** 7 for NSSA routes.

**7对于NSSA路线。

Note that the procedures of Section 4.2.8 do not make any distinction between routes types 1, 2, and 3. If BGP installs a route of one of these types in the VRF, and if that route is selected for redistribution into OSPF, it will be advertised by OSPF in either a type 3 or a type 5 LSA, depending on the domain identifier.

注意,第4.2.8节中的程序未对路线类型1、2和3进行任何区分。如果BGP在VRF中安装了其中一种类型的路由,并且如果选择将该路由重新分发到OSPF中,则OSPF将根据域标识符在类型3或类型5 LSA中公布该路由。

* Options: 1 byte. Currently, this is only used if the route type is 5 or 7. Setting the least significant bit in the field indicates that the route carries a type 2 metric.

* 选项:1字节。目前,仅当路线类型为5或7时才使用此选项。在字段中设置最低有效位表示路由携带类型2度量。

- OSPF Router ID Extended Communities Attribute. This OPTIONAL attribute specifies the OSPF Router ID of the system that is identified in the BGP Next Hop attribute. More precisely, it specifies the OSPF Router Id of the PE in the OSPF instance that installed the route into the VRF from which this route was exported. This attribute is encoded with a two-byte type field, and its type is 0107, with the Router ID itself carried in the first 4 bytes of the value field. The type 8001 SHOULD be accepted as well, to ensure backward compatibility, and should be treated as if it were 0107.

- OSPF路由器ID扩展社区属性。此可选属性指定在BGP下一跳属性中标识的系统的OSPF路由器ID。更准确地说,它指定了OSPF实例中PE的OSPF路由器Id,该实例将路由安装到导出该路由的VRF中。该属性使用两字节类型字段编码,其类型为0107,路由器ID本身携带在值字段的前4个字节中。也应接受8001型,以确保向后兼容性,并应将其视为0107。

- MED (Multi_EXIT_DISC attribute). By default, this SHOULD be set to the value of the OSPF distance associated with the route, plus 1.

- MED(多重退出光盘属性)。默认情况下,该值应设置为与路由相关联的OSPF距离值加1。

The intention of all this is the following. OSPF Routes from one site are converted to BGP, distributed across the VPN backbone, and possibly converted back to OSPF routes before being distributed into another site. With these attributes, BGP carries enough information about the route to enable the route to be converted back into OSPF "transparently", just as if BGP had not been involved.

这一切的意图如下。来自一个站点的OSPF路由转换为BGP,分布在VPN主干网上,并可能在分发到另一个站点之前转换回OSPF路由。有了这些属性,BGP就可以携带足够的路由信息,使路由能够“透明地”转换回OSPF,就像BGP没有参与一样。

Routes that a PE receives in type 4 LSAs MUST NOT be redistributed to BGP.

PE在类型4 LSA中接收的路由不得重新分配给BGP。

The attributes specified above are in addition to any other attributes that routes must carry in accordance with [VPN].

上述指定的属性是除路由必须根据[VPN]携带的任何其他属性之外的属性。

The Site of Origin attribute, which is usually required by [VPN], is OPTIONAL for routes that a PE learns from a CE via OSPF.

对于PE通过OSPF从CE学习的路由而言,[VPN]通常需要的源站点属性是可选的。

Use of the Site of Origin attribute would, in the case of a multiply homed site (i.e., a site attached to several PE routers), prevent an intra-site route from being reinjected into a site from the VPN backbone. Such a reinjection would not harm the routing, because the route via the VPN backbone would be advertised in a type 3 LSA, and hence would appear to be an inter-area route; the real intra-area route would be preferred. But unnecessary overhead would be introduced. On the other hand, if the Site of Origin attribute is not used, a partitioned site will find itself automatically repaired, since traffic from one partition to the other will automatically travel via the VPN backbone. Therefore, the use of a Site of Origin attribute is optional, so that a trade-off can be made between the cost of the increased overhead and the value of automatic partition repair.

在多主站点(即连接到多个PE路由器的站点)的情况下,使用源站点属性将防止站点内路由从VPN主干重新注入站点。这样的重新注入不会损害路由,因为经由VPN主干的路由将在类型3 LSA中通告,因此看起来是区域间路由;最好选择真正的区域内路线。但会引入不必要的开销。另一方面,如果未使用“源站点”属性,则分区站点将自动修复,因为从一个分区到另一个分区的流量将自动通过VPN主干传输。因此,使用源站点属性是可选的,因此可以在增加的开销成本和自动分区修复的价值之间进行权衡。

4.2.7. Sham Links
4.2.7. 假链接

This section describes the protocol and procedures necessary for the support of "Sham Links," as defined herein. Support for sham links is an OPTIONAL feature of this specification.

本节描述了支持此处定义的“假链路”所需的协议和程序。支持假链接是本规范的可选功能。

4.2.7.1. Intra-Area Routes
4.2.7.1. 区域内路线

Suppose that there are two sites in the same OSPF area. Each site is attached to a different PE router, and there is also an intra-area OSPF link connecting the two sites.

假设在同一OSPF区域中有两个站点。每个站点连接到不同的PE路由器,并且还有一个区域内OSPF链路连接两个站点。

It is possible to treat these two sites as a single VPN site that just happens to be multihomed to the backbone. This is in fact the simplest thing to do and is perfectly adequate, provided that the preferred route between the two sites is via the intra-area OSPF link (a "backdoor link"), rather than via the VPN backbone. There will be routes between sites that go through the PE routers, but these routes will appear to be inter-area routes, and OSPF will consider them less preferable than the intra-area routes through the backdoor link.

可以将这两个站点视为一个VPN站点,该站点恰好与主干网连接在一起。事实上,这是最简单的做法,而且完全足够,前提是两个站点之间的首选路由是通过区域内OSPF链路(“后门链路”),而不是通过VPN主干网。在通过PE路由器的站点之间会有路由,但是这些路由将看起来是跨区域路由,并且OSPF将认为它们不如通过后门链路的区域内路由更好。

If it is desired to have OSPF prefer the routes through the backbone over the routes through the backdoor link, then the routes through the backbone must be appear to be intra-area routes. To make a route through the backbone appear to be an intra-area route, it is necessary to make it appear as if there is an intra-area link

如果希望OSPF优先选择通过主干的路由而不是通过后门链路的路由,那么通过主干的路由必须看起来是区域内路由。要使通过主干的路由看起来像是区域内路由,必须使其看起来像是存在区域内链路

connecting the two PE routers. This is what we refer to as a "sham link". (If the two sites attach to the same PE router, this is of course not necessary.)

连接两个PE路由器。这就是我们所说的“虚假链接”。(如果两个站点连接到同一个PE路由器,当然不需要这样做。)

A sham link can be thought of as a relation between two VRFs. If two VRFs are to be connected by a sham link, each VRF must be associated with a "Sham Link Endpoint Address", a 32-bit IPv4 address that is treated as an address of the PE router containing that VRF. The Sham Link Endpoint Address is an address in the VPN's address space, not the SP's address space. The Sham Link Endpoint Address associated with a VRF MUST be configurable. If the VRF is associated with only a single OSPF instance, and if the PE's router id in that OSPF instance is an IP address, then the Sham Link Endpoint Address MAY default to that Router ID. If a VRF is associated with several OSPF instances, each sham link belongs to a single OSPF instance.

虚假链接可被视为两个VRF之间的关系。如果两个VRF通过假链路连接,则每个VRF必须与“假链路端点地址”相关联,该地址为32位IPv4地址,被视为包含该VRF的PE路由器的地址。假链接端点地址是VPN地址空间中的地址,而不是SP地址空间中的地址。与VRF关联的假链接端点地址必须是可配置的。如果VRF仅与单个OSPF实例关联,并且如果该OSPF实例中PE的路由器id是IP地址,则假链路端点地址可能默认为该路由器id。如果VRF与多个OSPF实例关联,则每个假链路属于单个OSPF实例。

For a given OSPF instance, a VRF needs only a single Sham Link Endpoint Address, no matter how many sham links it has. The Sham Link Endpoint Address MUST be distributed by BGP as a VPN-IPv4 address whose IPv4 address prefix part is 32 bits long. The Sham Link Endpoint Address MUST NOT be advertised by OSPF; if there is no BGP route to the Sham Link Endpoint Address, that address is to appear unreachable, so that the sham link appears to be down.

对于给定的OSPF实例,VRF只需要一个假链接端点地址,不管它有多少个假链接。伪链路端点地址必须由BGP作为IPv4地址前缀部分为32位长的VPN-IPv4地址分发。OSPF不得公布假链路端点地址;如果没有到假链接端点地址的BGP路由,则该地址将显示为不可访问,因此假链接似乎已关闭。

4.2.7.2. Creating Sham Links
4.2.7.2. 创建虚假链接

Sham links are manually configured.

假链接是手动配置的。

For a sham link to exist between two VRFs, each VRF has to be configured to create a sham link to the other, where the "other" is identified by its sham link endpoint address. No more than one sham link with the same pair of sham link endpoint addresses will ever be created. This specification does not include procedures for single-ended manual configuration of the sham link.

对于两个VRF之间存在的假链接,必须将每个VRF配置为创建到另一个VRF的假链接,其中“另一个”由其假链接端点地址标识。不会创建多个具有同一对假链接端点地址的假链接。本规范不包括假链路单端手动配置程序。

Note that sham links may be created for any area, including area 0.

请注意,可以为任何区域创建假链接,包括区域0。

A sham link connecting two VRFs is considered up if and only if a route to the 32-bit remote endpoint address of the sham link has been installed in VRF.

当且仅当连接两个VRF的假链路的32位远程端点地址的路由已安装在VRF中时,才认为连接两个VRF的假链路已启动。

The sham link endpoint address MUST NOT be used as the endpoint address of an OSPF Virtual Link.

假链路端点地址不得用作OSPF虚拟链路的端点地址。

4.2.7.3. OSPF Protocol on Sham Links
4.2.7.3. 假链路上的OSPF协议

An OSPF protocol packet sent on a Sham Link from one PE to another must have as its IP source address the Sham Link Endpoint Address of the sender, and as its IP destination address the Sham Link Endpoint Address of the receiver. The packet will travel from one PE router to the other over the VPN backbone, which means that it can be expected to traverse multiple hops. As such, its TTL (Time to Live) field must be set appropriately.

在假链路上从一个PE发送到另一个PE的OSPF协议包的IP源地址必须是发送方的假链路端点地址,IP目的地地址必须是接收方的假链路端点地址。数据包将通过VPN主干从一个PE路由器传输到另一个PE路由器,这意味着它可以跨越多个跃点。因此,必须适当设置其TTL(生存时间)字段。

An OSPF protocol packet is regarded as having been received on a particular sham link if and only if the following three conditions hold:

当且仅当以下三个条件成立时,OSPF协议包被视为已在特定假链路上接收:

- The packet arrives as an MPLS packet, and its MPLS label stack causes it to be "delivered" to the local sham link endpoint address.

- 该数据包作为MPLS数据包到达,其MPLS标签堆栈使其“传递”到本地假链路端点地址。

- The packet's IP destination address is the local sham link endpoint address.

- 数据包的IP目标地址是本地假链路端点地址。

- The packet's IP source address is the remote sham link endpoint address.

- 数据包的IP源地址是远程假链路端点地址。

Sham links SHOULD be treated by OSPF as OSPF Demand Circuits. This means that LSAs will be flooded over them, but periodic refresh traffic is avoided. Note that, as long as the backdoor link is up, flooding the LSAs over the sham link serves no purpose. However, if the backdoor link goes down, OSPF does not have mechanisms enabling the routers in one site to rapidly flush the LSAs from the other site. Therefore, it is still necessary to maintain synchronization among the LSA databases at the two sites, hence the flooding over the sham link.

OSPF应将假链路视为OSPF需求电路。这意味着LSA将被淹没在它们上面,但可以避免定期刷新流量。注意,只要后门链接打开,将LSA淹没在假链接上就没有任何作用。但是,如果后门链路断开,OSPF没有机制使一个站点中的路由器能够从另一个站点快速刷新LSA。因此,仍然需要在两个站点的LSA数据库之间保持同步,从而导致虚假链路上的洪水泛滥。

The sham link is an unnumbered point-to-point intra-area link and is advertised as a type 1 link in a type 1 LSA.

sham链路是未编号的点对点区域内链路,并且在类型1 LSA中被广告为类型1链路。

The OSPF metric associated with a sham link MUST be configurable (and there MUST be a configurable default). Whether traffic between the sites flows via a backdoor link or via the VPN backbone (i.e., via the sham link) depends on the settings of the OSPF link metrics. The metrics can be set so that the backdoor link is not used unless connectivity via the VPN backbone fails, for example.

与假链路关联的OSPF度量必须是可配置的(并且必须有可配置的默认值)。站点之间的流量是通过后门链路还是通过VPN主干(即,通过假链路)流动取决于OSPF链路度量的设置。例如,可以设置这些指标,以便在通过VPN主干的连接失败之前不使用后门链路。

The default Hello Interval for sham links is 10 seconds, and the default Router Dead Interval for sham links is 40 seconds.

假链接的默认Hello间隔为10秒,假链接的默认路由器死区间隔为40秒。

4.2.7.4. Routing and Forwarding on Sham Links
4.2.7.4. 假链路上的路由和转发

If a PE determines that the next hop interface for a particular route is a sham link, then the PE SHOULD NOT redistribute that route into BGP as a VPN-IPv4 route.

如果PE确定特定路由的下一跳接口是假链路,则PE不应将该路由作为VPN-IPv4路由重新分发到BGP中。

Any other route advertised in an LSA that is transmitted over a sham link MUST also be redistributed (by the PE flooding the LSA over the sham link) into BGP. This means that if the preferred (OSPF) route for a given address prefix has the sham link as its next hop interface, then there will also be a "corresponding BGP route", for that same address prefix, installed in the VRF. Per Section 4.1.2, the OSPF route is preferred. However, when forwarding a packet, if the preferred route for that packet has the sham link as its next hop interface, then the packet MUST be forwarded according to the corresponding BGP route. That is, it will be forwarded as if the corresponding BGP route had been the preferred route. The "corresponding BGP route" is always a VPN-IPv4 route; the procedure for forwarding a packet over a VPN-IPv4 route is described in [VPN].

通过假链路传输的LSA中公布的任何其他路由也必须重新分配(通过PE通过假链路将LSA淹没)到BGP中。这意味着,如果给定地址前缀的首选(OSPF)路由具有作为其下一跳接口的假链路,那么也将在VRF中安装相同地址前缀的“对应BGP路由”。根据第4.1.2节,优先选择OSPF路线。然而,在转发数据包时,如果该数据包的首选路由具有假链路作为其下一跳接口,则必须根据相应的BGP路由转发该数据包。也就是说,它将被转发,就好像相应的BGP路由是首选路由一样。“对应的BGP路由”始终是VPN-IPv4路由;[VPN]中描述了通过VPN-IPv4路由转发数据包的过程。

This same rule applies to any packet whose IP destination address is the remote endpoint address of a sham link. Such packets MUST be forwarded according to the corresponding BGP route.

该规则同样适用于IP目的地地址为假链路远程端点地址的任何数据包。这些数据包必须根据相应的BGP路由转发。

4.2.8. VPN-IPv4 Routes Received via BGP
4.2.8. 通过BGP接收的VPN-IPv4路由

This section describes how the PE router handles VPN-IPv4 routes received via BGP.

本节介绍PE路由器如何处理通过BGP接收的VPN-IPv4路由。

If a received BGP VPN-IPv4 route is not installed in the VRF, nothing is reported to the CE. A received route will not be installed into the VRF if the BGP decision process regards some other route as preferable. When installed in the VRF, the route appears to be an IPv4 route.

如果收到的BGP VPN-IPv4路由未安装在VRF中,则不会向CE报告任何内容。如果BGP决策过程认为某些其他路由更可取,则接收到的路由将不会安装到VRF中。当安装在VRF中时,该路由似乎是IPv4路由。

A BGP route installed in the VRF is not necessarily used for forwarding. If an OSPF route for the same IPv4 address prefix has been installed in the VRF, the OSPF route will be used for forwarding, except in the case where the OSPF route's next-hop interface is a sham link.

安装在VRF中的BGP路由不一定用于转发。如果VRF中安装了具有相同IPv4地址前缀的OSPF路由,则OSPF路由将用于转发,但OSPF路由的下一跳接口为假链路的情况除外。

If a BGP route installed in the VRF is used for forwarding, then the BGP route is redistributed into OSPF and possibly reported to the CEs in an OSPF LSA. The sort of LSA, if any, to be generated depends on various characteristics of the BGP route, as detailed in subsequent sections of this document.

如果安装在VRF中的BGP路由用于转发,则BGP路由将重新分配到OSPF中,并可能在OSPF LSA中报告给CEs。要生成的LSA类型(如果有)取决于BGP路由的各种特征,详见本文件后续章节。

The procedure for forwarding a packet over a VPN-IPv4 route is described in [VPN].

[VPN]中描述了通过VPN-IPv4路由转发数据包的过程。

In the following, we specify what is reported, in OSPF LSAs, by the PE to the CE, assuming that the PE is not configured to do any further summarization or filtering of the routing information before reporting it to the CE.

在下文中,我们指定在OSPF LSA中PE向CE报告的内容,假设PE未配置为在向CE报告路由信息之前对路由信息进行任何进一步的汇总或过滤。

When sending an LSA to the CE, it may be necessary to set the DN bit. See Section 4.2.5.1 for the rules regarding the DN bit.

向CE发送LSA时,可能需要设置DN位。有关DN位的规则,请参见第4.2.5.1节。

When sending an LSA to the CE, it may be necessary to set the OSPF Route Tag. See Section 4.2.5.2 for the rules about setting the OSPF Route Tag.

当向CE发送LSA时,可能需要设置OSPF路由标签。OSPF路由标签设置规则见4.2.5.2节。

When type 5 LSAs are sent, the Forwarding Address is set to 0.

发送类型5 LSA时,转发地址设置为0。

4.2.8.1. External Routes
4.2.8.1. 外路

With respect to a particular OSPF instance associated with a VRF, a VPN-IPv4 route that is installed in the VRF and then selected as the preferred route is treated as an External Route if one of the following conditions holds:

对于与VRF关联的特定OSPF实例,如果满足以下条件之一,则安装在VRF中并随后选择为首选路由的VPN-IPv4路由将被视为外部路由:

- The route type field of the OSPF Route Type Extended Community has an OSPF route type of "external".

- OSPF路由类型扩展社区的路由类型字段的OSPF路由类型为“外部”。

- The route is from a different domain from the domain of the OSPF instance.

- 路由来自与OSPF实例域不同的域。

The rules for determining whether a route is from a domain different from that of a particular OSPF instance are the following. The OSPF Domain Identifier Extended Communities attribute carried by the route is compared with the OSPF Domain Identifier Extended Communities attribute(s) with which the OSPF instance has been configured (if any). In general, when two such attributes are compared, all eight bytes must be compared. Thus, two OSPF Domain Identifier Extended Communities attributes are regarded as equal if and only if one of the following three conditions holds:

确定路由是否来自与特定OSPF实例不同的域的规则如下。将路由携带的OSPF域标识符扩展社区属性与配置OSPF实例的OSPF域标识符扩展社区属性(如果有)进行比较。通常,当比较两个这样的属性时,必须比较所有八个字节。因此,当且仅当以下三个条件之一成立时,两个OSPF域标识符扩展社区属性被视为相等:

1. They are identical in all eight bytes.

1. 它们在所有八个字节中都是相同的。

2. They are identical in their lower-order six bytes (value field), but one attribute has two high-order bytes (type field) of 0005 and the other has two high-order bytes (type field) of 8005. (This condition is for backward compatibility.)

2. 它们的低阶六字节(值字段)相同,但一个属性有两个高阶字节(类型字段)0005,另一个属性有两个高阶字节(类型字段)8005。(此条件用于向后兼容。)

3. The lower-order six bytes (value field) of both attributes consist entirely of zeroes. In this case, the two attributes are considered identical irrespective of their type fields, and they are regarded as representing the NULL Domain Identifier.

3. 两个属性的低阶六字节(值字段)完全由零组成。在这种情况下,这两个属性被认为是相同的,而不管它们的类型字段如何,它们被视为表示空域标识符。

If a VPN-IPv4 route has an OSPF Domain Identifier Extended Communities attribute, we say that that route is in the identified domain. If the value field of the Extended Communities attribute consists of all zeroes, then the identified domain is the NULL domain, and the route is said to belong to the NULL domain. If the route does not have an OSPF Domain Identified Extended Communities attribute, then the route belongs to the NULL domain.

如果VPN-IPv4路由具有OSPF域标识符扩展社区属性,则称该路由位于已标识的域中。如果Extended Communities属性的值字段由全零组成,则标识的域为空域,路由称为属于空域。如果路由没有OSPF域标识的扩展社区属性,则路由属于空域。

Every OSPF instance is associated with one or more Domain Identifiers, though possibly only with the NULL domain identifier. If an OSPF instance is associated with a particular Domain Identifier, we will say that it belongs to the identified domain.

每个OSPF实例都与一个或多个域标识符关联,尽管可能仅与空域标识符关联。如果一个OSPF实例与一个特定的域标识符相关联,我们将说它属于已识别的域。

If a VPN-IPv4 route is to be redistributed to a particular instance, it must be determined whether that route and that OSPF instance belong to the same domain. A route and an OSPF instance belong to the same domain if and only if one of the following conditions holds:

如果要将VPN-IPv4路由重新分发到特定实例,则必须确定该路由和该OSPF实例是否属于同一域。当且仅当下列条件之一成立时,路由和OSPF实例属于同一域:

1. The route and the OSPF instance each belong to the NULL domain.

1. 路由和OSPF实例都属于空域。

2. The domain to which the route belongs is the domain to which the OSPF instance belongs. (That is, the route's Domain Identifier is equal to the OSPF instance's domain identifier, as determined by the definitions given earlier in this section.)

2. 路由所属的域是OSPF实例所属的域。(也就是说,路由的域标识符等于OSPF实例的域标识符,由本节前面给出的定义确定。)

If the route and the VRF do not belong to the same domain, the route is treated as an external route.

如果路由和VRF不属于同一个域,则该路由将被视为外部路由。

If an external route is redistributed into an OSPF instance, the route may or may not be advertised to a particular CE, depending on the configuration and on the type of area to which the PE/CE link belongs. If the route is advertised, and the PE/CE link belongs to a NSSA area, it is advertised in a type 7 LSA. Otherwise, if the route is advertised, it is advertised in a type 5 LSA. The LSA will be originated by the PE.

如果将外部路由重新分配到OSPF实例中,则根据配置和PE/CE链路所属的区域的类型,可以向特定CE通告路由,也可以不通告路由。如果路由被通告,并且PE/CE链路属于NSSA区域,则在类型7 LSA中通告。否则,如果路由被通告,它将在类型5 LSA中通告。LSA将由PE发起。

The DN bit (Section 4.2.5.1) MUST be set in the LSA. The VPN Route Tag (see Section 4.2.5.2) MUST be placed in the LSA, unless the use of the VPN Route Tag has been turned off by configuration.

必须在LSA中设置DN位(第4.2.5.1节)。VPN路由标签(见第4.2.5.2节)必须放置在LSA中,除非已通过配置关闭VPN路由标签的使用。

By default, a type 2 metric value is included in the LSA, unless the options field of the OSPF Route Type Extended Communities attribute of the VPN-IPv4 route specifies that the metric should be type 1.

默认情况下,LSA中包含类型2度量值,除非VPN-IPv4路由的OSPF路由类型扩展社区属性的选项字段指定度量值应为类型1。

By default, the value of the metric is taken from the MED attribute of the VPN-IPv4 route. If the MED is not present, a default metric value is used. (The default type 1 metric and the default type 2 metric MAY be different.)

默认情况下,度量值取自VPN-IPv4路由的MED属性。如果MED不存在,则使用默认度量值。(默认类型1度量和默认类型2度量可能不同。)

Note that this way of handling external routes makes every PE appear to be an ASBR attached to all the external routes. In a multihomed site, this can result in a number of type 5 LSAs containing the same information.

请注意,这种处理外部路由的方式使每个PE看起来都是附加到所有外部路由的ASBR。在多址站点中,这可能导致许多类型5 LSA包含相同的信息。

4.2.8.2. Summary Routes
4.2.8.2. 摘要路线

If a route and the VRF into which it is imported belong to the same domain, then the route should be treated as if it had been received in an OSPF type 3 LSA. This means that the PE will report the route in a type 3 LSA to the CE. (Note that this case is possible even if the VPN-IPv4 route carries an area number identical to that of the CE router. This means that if an area is "partitioned" such that the two pieces are connected only via the VPN backbone, it appears to be two areas, with inter-area routes between them.)

如果一条路由和导入它的VRF属于同一个域,则该路由应被视为是在OSPF类型3 LSA中接收到的。这意味着PE将向CE报告类型3 LSA中的路由。(请注意,即使VPN-IPv4路由携带与CE路由器相同的区号,这种情况也是可能的。这意味着,如果一个区域被“划分”,使得两个部分仅通过VPN主干连接,则该区域似乎是两个区域,它们之间有区域间路由。)

4.2.8.3. NSSA Routes
4.2.8.3. NSSA航线

NSSA routes are treated the same as external routes, as described in Section 4.2.8.1.

如第4.2.8.1节所述,NSSA路线与外部路线相同。

5. IANA Considerations
5. IANA考虑

Section 11 of [EXTCOMM] calls upon IANA to create a registry for BGP Extended Communities Type Field and Extended Type Field values. Section 4.2.6 of this document assigns new values for the BGP Extended Communities Extended Type Field. These values all fall within the range of values that [EXTCOMM] states "are to be assigned by IANA, using the 'First Come, First Served' policy defined in RFC 2434".

[EXTCOMM]第11节要求IANA为BGP扩展社区类型字段和扩展类型字段值创建注册表。本文件第4.2.6节为BGP扩展社区扩展类型字段指定了新值。这些值都在[EXTCOMM]规定的值范围内,“由IANA使用RFC 2434中定义的“先到先得”策略分配”。

The BGP Extended Communities Extended Type Field values assigned in Section 4.2.6 of this document are as follows:

本文件第4.2.6节中指定的BGP扩展社区扩展类型字段值如下:

- OSPF Domain Identifier: Extended Types 0005, 0105, and 0205.

- OSPF域标识符:扩展类型0005、0105和0205。

- OSPF Route Type: Extended Type 0306

- OSPF路由类型:扩展型0306

- OSPF Router ID: Extended Type 0107

- OSPF路由器ID:扩展类型0107

6. Security Considerations
6. 安全考虑

Security considerations that are relevant in general to BGP/MPLS IP VPNS are discussed in [VPN] and [VPN-AS]. We discuss here only those security considerations that are specific to the use of OSPF as the PE/CE protocol.

通常与BGP/MPLS IP VPN相关的安全注意事项在[VPN]和[VPN-AS]中讨论。我们在这里只讨论那些特定于使用OSPF作为PE/CE协议的安全注意事项。

A single PE may be running OSPF as the IGP of the SP backbone network, as well as running OSPF as the IGP of one or more VPNs. This requires the use of multiple, independent OSPF instances, so that routes are not inadvertently leaked between the backbone and any VPN. The OSPF instances for different VPNs must also be independent OSPF instances, to prevent inadvertent leaking of routes between VPNs.

单个PE可以运行OSPF作为SP主干网的IGP,也可以运行OSPF作为一个或多个VPN的IGP。这需要使用多个独立的OSPF实例,以便主干网和任何VPN之间的路由不会意外泄漏。不同VPN的OSPF实例也必须是独立的OSPF实例,以防止VPN之间的路由意外泄漏。

OSPF provides a number of procedures that allow the OSPF control messages between a PE and a CE to be authenticated. OSPF "cryptographic authentication" SHOULD be used between a PE and a CE. It MUST be implemented on each PE.

OSPF提供了许多过程,允许对PE和CE之间的OSPF控制消息进行身份验证。在PE和CE之间应使用OSPF“加密身份验证”。它必须在每个PE上实施。

In the absence of such authentication, it is possible that the CE might not really belong to the VPN to which the PE assigns it. It may also be possible for an attacker to insert spoofed messages on the PE/CE link, in either direction. Spoofed messages sent to the CE could compromise the routing at the CE's site. Spoofed messages sent to the PE could result in improper VPN routing, or in a denial-of-service attack on the VPN.

在没有这种认证的情况下,CE可能并不真正属于PE分配给它的VPN。攻击者还可能在PE/CE链路上向任意方向插入伪造消息。发送到CE的伪造消息可能会破坏CE站点的路由。发送到PE的伪造消息可能会导致VPN路由不正确,或导致对VPN的拒绝服务攻击。

7. Acknowledgements
7. 致谢

Major contributions to this work have been made by Derek Yeung and Yakov Rekhter.

杨德瑞克和雅科夫·雷克特对这项工作做出了重大贡献。

Thanks to Ross Callon, Ajay Singhal, Russ Housley, and Alex Zinin for their review and comments.

感谢Ross Callon、Ajay Singhal、Russ Housley和Alex Zinin的评论和评论。

8. Normative References
8. 规范性引用文件

[EXTCOMM] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended Communities Attribute", RFC 4360, February 2006.

[EXTCOMM]Sangli,S.,Tappan,D.,和Y.Rekhter,“BGP扩展社区属性”,RFC 4360,2006年2月。

[OSPFv2] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.

[OSPFv2]Moy,J.,“OSPF版本2”,STD 54,RFC 23281998年4月。

[OSPF-DN] Rosen, E., Psenak, P., and P. Pillay-Esnault, "Using a Link State Advertisement (LSA) Options Bit to Prevent Looping in BGP/MPLS IP Virtual Private Networks (VPNs)", RFC 4576, June 2006.

[OSPF-DN]Rosen,E.,Psenak,P.,和P.Pillay Esnault,“使用链路状态公告(LSA)选项位防止BGP/MPLS IP虚拟专用网络(VPN)中的循环”,RFC 45762006年6月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[VPN] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private Networks (VPNs)", RFC 4364, February 2006.

[VPN]Rosen,E.和Y.Rekhter,“BGP/MPLS IP虚拟专用网络(VPN)”,RFC 4364,2006年2月。

9. Informative References
9. 资料性引用

[BGP] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006.

[BGP]Rekhter,Y.,Li,T.,和S.Hares,“边境网关协议4(BGP-4)”,RFC 42712006年1月。

[RIP] Malkin, G., "RIP Version 2", STD 56, RFC 2453, November 1998.

[RIP]Malkin,G.,“RIP版本2”,STD 56,RFC 2453,1998年11月。

[VPN-AS] Rosen, E., "Applicability Statement for BGP/MPLS IP Virtual Private Networks (VPNs)", RFC 4365, February 2006.

[VPN-AS]Rosen,E.“BGP/MPLS IP虚拟专用网络(VPN)的适用性声明”,RFC 4365,2006年2月。

Authors' Addresses

作者地址

Eric C. Rosen Cisco Systems, Inc. 1414 Massachusetts Avenue Boxborough, MA 01719

Eric C.Rosen Cisco Systems,Inc.马萨诸塞州伯斯堡马萨诸塞大道1414号,邮编01719

   EMail: erosen@cisco.com
        
   EMail: erosen@cisco.com
        

Peter Psenak Cisco Systems BA Business Center, 9th Floor Plynarenska 1 Bratislava 82109 Slovakia

斯洛伐克布拉迪斯拉发Plynarenska 1号9楼Peter Psenak Cisco Systems BA商务中心82109

   EMail: ppsenak@cisco.com
        
   EMail: ppsenak@cisco.com
        

Padma Pillay-Esnault Cisco Systems 3750 Cisco Way San Jose, CA 95134

帕德玛·皮莱·埃斯纳尔特思科系统公司,地址:加利福尼亚州圣何塞市思科路3750号,邮编:95134

   EMail: ppe@cisco.com
        
   EMail: ppe@cisco.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2006).

版权所有(C)互联网协会(2006年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).

RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。