Network Working Group                                  L. Andersson, Ed.
Request for Comments: 4664                                      Acreo AB
Category: Informational                                    E. Rosen, Ed.
                                                     Cisco Systems, Inc.
                                                          September 2006
        
Network Working Group                                  L. Andersson, Ed.
Request for Comments: 4664                                      Acreo AB
Category: Informational                                    E. Rosen, Ed.
                                                     Cisco Systems, Inc.
                                                          September 2006
        

Framework for Layer 2 Virtual Private Networks (L2VPNs)

第二层虚拟专用网络(L2VPN)框架

Status of This Memo

关于下段备忘

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2006).

版权所有(C)互联网协会(2006年)。

Abstract

摘要

This document provides a framework for Layer 2 Provider Provisioned Virtual Private Networks (L2VPNs). This framework is intended to aid in standardizing protocols and mechanisms to support interoperable L2VPNs.

本文档为第2层提供商提供的虚拟专用网络(L2VPN)提供了一个框架。该框架旨在帮助标准化协议和机制,以支持可互操作的L2VPN。

Table of Contents

目录

   1. Introduction ....................................................3
      1.1. Conventions Used in This Document ..........................3
      1.2. Objectives and Scope of the Document .......................3
      1.3. Layer 2 Virtual Private Networks ...........................3
      1.4. Terminology ................................................4
   2. Models ..........................................................5
      2.1. Reference Model for VPWS ...................................5
           2.1.1. Entities in the VPWS Reference Model ................5
      2.2. Reference Model for VPLS ...................................6
           2.2.1. Entities in the VPLS Reference Model ................8
      2.3. Reference Model for Distributed VPLS-PE or VPWS-PE .........9
           2.3.1. Entities in the Distributed PE Reference Models .....9
      2.4. VPWS-PE and VPLS-PE ........................................9
   3. Functional Components of L2 VPN .................................9
      3.1. Types of L2VPN ............................................10
           3.1.1. Virtual Private Wire Service (VPWS) ................10
           3.1.2. Virtual Private LAN Service (VPLS) .................10
           3.1.3. IP-Only LAN-Like Service (IPLS) ....................11
      3.2. Generic L2VPN Transport Functional Components .............11
           3.2.1. Attachment Circuits ................................11
           3.2.2. Pseudowires ........................................12
           3.2.3. Forwarders .........................................14
           3.2.4. Tunnels ............................................15
           3.2.5. Encapsulation ......................................16
           3.2.6. Pseudowire Signaling ...............................16
                  3.2.6.1. Point-to-Point Signaling ..................18
                  3.2.6.2. Point-to-Multipoint Signaling .............18
                  3.2.6.3. Inter-AS Considerations ...................19
           3.2.7. Service Quality ....................................20
                  3.2.7.1. Quality of Service (QoS) ..................20
                  3.2.7.2. Resiliency ................................21
           3.2.8. Management .........................................22
      3.3. VPWS ......................................................22
           3.3.1. Provisioning and Auto-Discovery ....................23
                  3.3.1.1. Attachment Circuit Provisioning ...........23
                  3.3.1.2. PW Provisioning for Arbitrary
                           Overlay Topologies ........................23
                  3.3.1.3. Colored Pools PW Provisioning Model .......25
           3.3.2. Requirements on Auto-Discovery Procedures ..........27
           3.3.3. Heterogeneous Pseudowires ..........................28
      3.4. VPLS Emulated LANs ........................................29
           3.4.1. VPLS Overlay Topologies and Forwarding .............31
           3.4.2. Provisioning and Auto-Discovery ....................33
           3.4.3. Distributed PE .....................................33
           3.4.4. Scaling Issues in VPLS Deployment ..................36
      3.5. IP-Only LAN-Like Service (IPLS) ...........................36
        
   1. Introduction ....................................................3
      1.1. Conventions Used in This Document ..........................3
      1.2. Objectives and Scope of the Document .......................3
      1.3. Layer 2 Virtual Private Networks ...........................3
      1.4. Terminology ................................................4
   2. Models ..........................................................5
      2.1. Reference Model for VPWS ...................................5
           2.1.1. Entities in the VPWS Reference Model ................5
      2.2. Reference Model for VPLS ...................................6
           2.2.1. Entities in the VPLS Reference Model ................8
      2.3. Reference Model for Distributed VPLS-PE or VPWS-PE .........9
           2.3.1. Entities in the Distributed PE Reference Models .....9
      2.4. VPWS-PE and VPLS-PE ........................................9
   3. Functional Components of L2 VPN .................................9
      3.1. Types of L2VPN ............................................10
           3.1.1. Virtual Private Wire Service (VPWS) ................10
           3.1.2. Virtual Private LAN Service (VPLS) .................10
           3.1.3. IP-Only LAN-Like Service (IPLS) ....................11
      3.2. Generic L2VPN Transport Functional Components .............11
           3.2.1. Attachment Circuits ................................11
           3.2.2. Pseudowires ........................................12
           3.2.3. Forwarders .........................................14
           3.2.4. Tunnels ............................................15
           3.2.5. Encapsulation ......................................16
           3.2.6. Pseudowire Signaling ...............................16
                  3.2.6.1. Point-to-Point Signaling ..................18
                  3.2.6.2. Point-to-Multipoint Signaling .............18
                  3.2.6.3. Inter-AS Considerations ...................19
           3.2.7. Service Quality ....................................20
                  3.2.7.1. Quality of Service (QoS) ..................20
                  3.2.7.2. Resiliency ................................21
           3.2.8. Management .........................................22
      3.3. VPWS ......................................................22
           3.3.1. Provisioning and Auto-Discovery ....................23
                  3.3.1.1. Attachment Circuit Provisioning ...........23
                  3.3.1.2. PW Provisioning for Arbitrary
                           Overlay Topologies ........................23
                  3.3.1.3. Colored Pools PW Provisioning Model .......25
           3.3.2. Requirements on Auto-Discovery Procedures ..........27
           3.3.3. Heterogeneous Pseudowires ..........................28
      3.4. VPLS Emulated LANs ........................................29
           3.4.1. VPLS Overlay Topologies and Forwarding .............31
           3.4.2. Provisioning and Auto-Discovery ....................33
           3.4.3. Distributed PE .....................................33
           3.4.4. Scaling Issues in VPLS Deployment ..................36
      3.5. IP-Only LAN-Like Service (IPLS) ...........................36
        
   4. Security Considerations ........................................37
      4.1. Provider Network Security Issues ..........................37
      4.2. Provider-Customer Network Security Issues .................39
      4.3. Customer Network Security Issues ..........................39
   5. Acknowledgements ...............................................40
   6. Normative References ...........................................41
   7. Informative References .........................................41
        
   4. Security Considerations ........................................37
      4.1. Provider Network Security Issues ..........................37
      4.2. Provider-Customer Network Security Issues .................39
      4.3. Customer Network Security Issues ..........................39
   5. Acknowledgements ...............................................40
   6. Normative References ...........................................41
   7. Informative References .........................................41
        
1. Introduction
1. 介绍
1.1. Conventions Used in This Document
1.1. 本文件中使用的公约

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。

1.2. Objectives and Scope of the Document
1.2. 文件的目标和范围

This document provides a framework for Layer 2 Provider Provisioned Virtual Private Networks (L2VPNs). This framework is intended to aid in standardizing protocols and mechanisms to support interoperable L2VPNs.

本文档为第2层提供商提供的虚拟专用网络(L2VPN)提供了一个框架。该框架旨在帮助标准化协议和机制,以支持可互操作的L2VPN。

The term "provider provisioned VPNs" refers to Virtual Private Networks (VPNs) for which the Service Provider (SP) participates in management and provisioning of the VPN.

术语“提供商配置的VPN”是指服务提供商(SP)参与VPN管理和配置的虚拟专用网络(VPN)。

Requirements for L2VPNs can be found in [RFC4665].

L2VPN的要求见[RFC4665]。

This document provides reference models for L2VPNs and discusses the functional components of L2VPNs. Specifically, this includes discussion of the technical issues that are important in the design of standards and mechanisms for L2VPNs, including those standards and mechanisms needed for interworking and security.

本文档提供了L2VPN的参考模型,并讨论了L2VPN的功能组件。具体而言,这包括对L2VPN标准和机制设计中重要的技术问题的讨论,包括互通和安全所需的标准和机制。

This document discusses a number of different technical approaches to L2VPNs. It tries to show how the different approaches are related, and to clarify the issues that may lead one to select one approach instead of another. However, this document does not attempt to select any particular approach.

本文档讨论了L2VPN的多种不同技术方法。它试图说明不同的方法是如何相互关联的,并澄清可能导致人们选择一种方法而不是另一种方法的问题。但是,本文件不尝试选择任何特定方法。

1.3. Layer 2 Virtual Private Networks
1.3. 第二层虚拟专用网络

There are two fundamentally different kinds of Layer 2 VPN service that a service provider could offer to a customer: Virtual Private Wire Service (VPWS) and Virtual Private LAN Service (VPLS). There is also the possibility of an IP-only LAN-like Service (IPLS).

服务提供商可以向客户提供两种根本不同的第2层VPN服务:虚拟专用线服务(VPWS)和虚拟专用局域网服务(VPLS)。也有可能提供一种仅限IP的类似LAN的服务(IPLS)。

A VPWS is a VPN service that supplies an L2 point-to-point service. As this is a point-to-point service, there are very few scaling issues with the service as such. Scaling issues might arise from the number of end-points that can be supported on a particular PE.

VPWS是提供L2点对点服务的VPN服务。由于这是一个点对点服务,因此该服务本身很少存在扩展问题。扩展问题可能由特定PE上可支持的端点数量引起。

A VPLS is an L2 service that emulates LAN service across a Wide Area Network (WAN). With regard to the amount of state information that must be kept at the edges in order to support the forwarding function, it has the scaling characteristics of a LAN. Other scaling issues might arise from the number of end-points that can be supported on a particular PE. (See Section 3.4.4.)

VPLS是一种L2服务,它跨广域网(WAN)模拟LAN服务。关于为了支持转发功能而必须保留在边缘的状态信息量,它具有LAN的缩放特性。其他扩展问题可能来自特定PE上可支持的端点数量。(见第3.4.4节。)

Note that VPLS uses a service that does not have native multicast capability to emulate a service that does have native multicast capability. As a result, there will be scalability issues with regard to the handling of multicast traffic in VPLS.

请注意,VPLS使用不具有本机多播功能的服务来模拟具有本机多播功能的服务。因此,VPLS中多播流量的处理将存在可伸缩性问题。

A VPLS service may also impose longer delays and provide less reliable transport than would a native LAN service. The standard LAN control protocols may not have been designed for such an environment and may experience scaling problems when run in that environment.

与本机LAN服务相比,VPLS服务还可能造成更长的延迟,并提供不太可靠的传输。标准LAN控制协议可能不是为此类环境设计的,在该环境中运行时可能会遇到扩展问题。

1.4. Terminology
1.4. 术语

The list of the technical terms used when discussing L2VPNs may be found in the companion document [RFC4026].

讨论L2VPN时使用的技术术语列表可在配套文件[RFC4026]中找到。

2. Models
2. 模型
2.1. Reference Model for VPWS
2.1. VPWS的参考模型

The VPWS reference model is shown in Figure 1.

VPWS参考模型如图1所示。

                  Attachment        PSN           Attachment
                   Circuits        tunnel          Circuits
                                     +
           +-----+                 pseudo                    +-----+
           |     |                  wire                     |     |
           | CE1 |--+                                     +--| CE2 |
           |     |  |    +-----+   +-----+     +-----+    |  |     |
           +-----+  +----|---- |   |  P  |     | ----+----+  +-----+
                         |VPWS\---|-----|-----|/VPWS|
                         | PE1 |===|=====|=====| PE2 |
                         |    /|---|-----|-----|\\    |
           +-----+  +----|---- |   |     |     | ----|----+  +-----+
           |     |  |    +-----+   +-----+     +-----+    |  |     |
           | CE3 |--+                                     +--| CE4 |
           |     |                                           |     |
           +-----+                                           +-----+
        
                  Attachment        PSN           Attachment
                   Circuits        tunnel          Circuits
                                     +
           +-----+                 pseudo                    +-----+
           |     |                  wire                     |     |
           | CE1 |--+                                     +--| CE2 |
           |     |  |    +-----+   +-----+     +-----+    |  |     |
           +-----+  +----|---- |   |  P  |     | ----+----+  +-----+
                         |VPWS\---|-----|-----|/VPWS|
                         | PE1 |===|=====|=====| PE2 |
                         |    /|---|-----|-----|\\    |
           +-----+  +----|---- |   |     |     | ----|----+  +-----+
           |     |  |    +-----+   +-----+     +-----+    |  |     |
           | CE3 |--+                                     +--| CE4 |
           |     |                                           |     |
           +-----+                                           +-----+
        

Figure 1

图1

2.1.1. Entities in the VPWS Reference Model
2.1.1. VPWS参考模型中的实体

The P, PE (VPWS-PE), and CE devices and the PSN tunnel are defined in [RFC4026]. The attachment circuit and pseudowire are discussed in Section 3. The PE does a simple mapping between the PW and attachment circuit based on local information; i.e., the PW demultiplexor and incoming/outgoing logical/physical port.

[RFC4026]中定义了P、PE(VPWS-PE)和CE设备以及PSN隧道。第3节讨论了连接电路和伪线。PE根据本地信息在PW和连接电路之间进行简单映射;i、 例如,PW解复用器和输入/输出逻辑/物理端口。

2.2. Reference Model for VPLS
2.2. VPLS参考模型

The following diagram shows a VPLS reference model where PE devices that are VPLS-capable provide a logical interconnect such that CE devices belonging to a specific VPLS appear to be on a single bridged Ethernet. A VPLS can contain a single VLAN or multiple tagged VLANs.

下图显示了VPLS参考模型,其中具有VPLS功能的PE设备提供逻辑互连,从而属于特定VPLS的CE设备似乎位于单个桥接以太网上。VPLS可以包含单个VLAN或多个标记VLAN。

The VPLS reference model is shown in Figures 2 and 3.

VPLS参考模型如图2和图3所示。

           +-----+                                  +-----+
           + CE1 +--+                           +---| CE2 |
           +-----+  |    ...................    |   +-----+
            VPLS A  |  +----+           +----+  |    VPLS A
                    |  |VPLS|           |VPLS|  |
                    +--| PE |--Routed---| PE |-+
                       +----+  Backbone +----+
                      /  .       |         .  \     _   /\_
           +-----+   /   .       |         .   \   / \ /   \     +-----+
           + CE  +--+    .       |         .    +--\ Access \----| CE  |
           +-----+       .    +----+       .       | Network |   +-----+
            VPLS B       .....|VPLS|........        \       /     VPLS B
                              | PE |     ^           -------
                              +----+     |
                                |        |
                                |        |
                             +-----+     |
                             | CE3 |     +-- Emulated LAN
                             +-----+
                              VPLS A
        
           +-----+                                  +-----+
           + CE1 +--+                           +---| CE2 |
           +-----+  |    ...................    |   +-----+
            VPLS A  |  +----+           +----+  |    VPLS A
                    |  |VPLS|           |VPLS|  |
                    +--| PE |--Routed---| PE |-+
                       +----+  Backbone +----+
                      /  .       |         .  \     _   /\_
           +-----+   /   .       |         .   \   / \ /   \     +-----+
           + CE  +--+    .       |         .    +--\ Access \----| CE  |
           +-----+       .    +----+       .       | Network |   +-----+
            VPLS B       .....|VPLS|........        \       /     VPLS B
                              | PE |     ^           -------
                              +----+     |
                                |        |
                                |        |
                             +-----+     |
                             | CE3 |     +-- Emulated LAN
                             +-----+
                              VPLS A
        

Figure 2

图2

                         |-----Routed Backbone-----|
                         |     (P Routers)         |PSN Tunnels,
   Emulated LAN          |                         |Pseudowires
 .......................................................................
 .                       |                         |                   .
 . |---------------------|----|           |--------|-----------------| .
 . | --------------------|--- |           | -------|---------------- | .
 . |      VPLS Forwarder      |           |      VPLS Forwarder      | .
 . | ----------|------------- |           | ----------|------------- | .
 ..|.................................................................|..
   |           | Emulated LAN |           |           | Emulated LAN |
   |           | Interface    | VPLS-PEs  |           | Interface    |
   |           |              |  <---->   |           |              |
   | ----------|------------  |           | ----------|------------  |
   | |       Bridge        |  |           | |       Bridge        |  |
   | -|--------|---------|--  |           | ---|-------|---------|-  |
   |--|--------|---------|----|           |----|-------|---------|---|
      |        |         |                     |       |         |
      |        | Access  |                     |       | Access  |
      |        | Networks|                     |       | Networks|
      |        |         |                     |       |         |
      |        |         |                     |       |         |
           CE devices                                CE devices
        
                         |-----Routed Backbone-----|
                         |     (P Routers)         |PSN Tunnels,
   Emulated LAN          |                         |Pseudowires
 .......................................................................
 .                       |                         |                   .
 . |---------------------|----|           |--------|-----------------| .
 . | --------------------|--- |           | -------|---------------- | .
 . |      VPLS Forwarder      |           |      VPLS Forwarder      | .
 . | ----------|------------- |           | ----------|------------- | .
 ..|.................................................................|..
   |           | Emulated LAN |           |           | Emulated LAN |
   |           | Interface    | VPLS-PEs  |           | Interface    |
   |           |              |  <---->   |           |              |
   | ----------|------------  |           | ----------|------------  |
   | |       Bridge        |  |           | |       Bridge        |  |
   | -|--------|---------|--  |           | ---|-------|---------|-  |
   |--|--------|---------|----|           |----|-------|---------|---|
      |        |         |                     |       |         |
      |        | Access  |                     |       | Access  |
      |        | Networks|                     |       | Networks|
      |        |         |                     |       |         |
      |        |         |                     |       |         |
           CE devices                                CE devices
        

Figure 3

图3

From Figure 3, we see that in VPLS, a CE device attaches, possibly through an access network, to a "bridge" module of a VPLS-PE. Within the VPLS-PE, the bridge module attaches, through an "Emulated LAN Interface", to an Emulated LAN. For each VPLS, there is an Emulated LAN instance. Figure 3 shows some internal structure to the Emulated LAN: it consists of "VPLS Forwarder" modules connected by pseudowires, where the pseudowires may be traveling through PSN tunnels over a routed backbone.

从图3可以看出,在VPLS中,CE设备可能通过接入网络连接到VPLS-PE的“桥接”模块。在VPLS-PE中,网桥模块通过“模拟LAN接口”连接到模拟LAN。对于每个VPLS,都有一个模拟LAN实例。图3显示了模拟LAN的一些内部结构:它由伪线连接的“VPLS转发器”模块组成,其中伪线可能通过路由主干上的PSN隧道。

A "VPLS instance" consists of a set of VPLS Forwarders (no more than one per PE) connected by pseudowires.

“VPLS实例”由一组通过伪线连接的VPLS转发器(每个PE不超过一个)组成。

The functionality that the bridge module must support depends on the service that is being offered by the SP to its customers, as well as on various details of the SP's network. At a minimum, the bridge module must be able to learn MAC addresses, and to "age them out", in the standard manner. However, if the PE devices have backdoor connections with each other via a Layer 2 network, they may need to be full IEEE bridges ([IEEE8021D]), running a spanning tree with each other. Specification of the precise functionality that the bridge

网桥模块必须支持的功能取决于SP向其客户提供的服务,以及SP网络的各种细节。至少,网桥模块必须能够学习MAC地址,并以标准方式“老化”。然而,如果PE设备通过第2层网络彼此具有后门连接,则它们可能需要是完整的IEEE网桥([IEEE8021D]),彼此运行生成树。桥的精确功能说明

modules must have in particular circumstances is, however, out of scope of the current document.

但是,在特定情况下,模块必须具有超出当前文档范围的特性。

This framework specifies that each "bridge module" have a single "Emulated LAN interface". It does not specify the number of bridge modules that a VPLS-PE may contain, nor does it specify the number of VPLS instances that may attach to a bridge module over a single "Emulated LAN interface".

该框架规定每个“网桥模块”都有一个“模拟LAN接口”。它没有指定VPLS-PE可能包含的网桥模块数量,也没有指定可能通过单个“模拟LAN接口”连接到网桥模块的VPLS实例数量。

Thus the framework is compatible with at least the following three models:

因此,该框架至少与以下三种模型兼容:

- Model 1

- 模式1

A VPLS-PE contains a single bridge module and supports a single VPLS instance. The VPLS instance is an Emulated LAN; if that Emulated LAN contains VLANs, 802.1Q [IEEE8021Q] tagging must be used to indicate which packets are in which VLANs.

VPLS-PE包含单个网桥模块并支持单个VPLS实例。VPLS实例是一个仿真LAN;如果模拟LAN包含VLAN,则必须使用802.1Q[IEEE8021Q]标记来指示哪些数据包位于哪个VLAN中。

- Model 2

- 模式2

A VPLS-PE contains a single bridge module, but supports multiple VPLS instances. Each VPLS instance is thought of as a VLAN (in effect, an "Emulated VLAN"), and the set of VPLS instances are treated as a set of VLANs on a common LAN. Since each VLAN uses a separate set of PWs, there is no need for 802.1Q tagging.

VPLS-PE包含一个网桥模块,但支持多个VPLS实例。每个VPLS实例都被视为一个VLAN(实际上是一个“模拟VLAN”),并且VPLS实例集被视为公共LAN上的一组VLAN。由于每个VLAN使用一组单独的PW,因此不需要802.1Q标记。

- Model 3

- 模式3

A VPLS-PE contains an arbitrary number of bridge modules, each of which attaches to a single VPLS instance.

VPLS-PE包含任意数量的网桥模块,每个模块连接到一个VPLS实例。

There may be other models as well, some of which are combinations of the 3 models above. Different models may have different characteristics, and different scopes of applicability.

也可能有其他模型,其中一些是上述3种模型的组合。不同的模型可能有不同的特点,适用范围也不同。

Each VPLS solution should specify the model or models that it is supporting. Each solution should also specify the necessary bridge functionality that its bridge modules must support.

每个VPLS解决方案应指定其支持的一个或多个模型。每个解决方案还应指定其网桥模块必须支持的必要网桥功能。

This framework does not specify the way in which bridge control protocols are used on the Emulated LANs.

此框架未指定在模拟LAN上使用网桥控制协议的方式。

2.2.1. Entities in the VPLS Reference Model
2.2.1. VPLS参考模型中的实体

The PE (VPLS-PE) and CE devices are defined in [RFC4026].

PE(VPLS-PE)和CE设备在[RFC4026]中定义。

2.3. Reference Model for Distributed VPLS-PE or VPWS-PE
2.3. 分布式VPLS-PE或VPWS-PE的参考模型
                  VPLS-PE/VPWS-PE
                   Functionality       . . . . . . .
               . . . . . . . . . . .   .           .
               .                   .   .           .
       +----+  .  +----+    +----+ .   .  Service  .
       | CE |--.--|U-PE|----|N-PE|-.---.  Provider .
       +----+  .  +----+    +----+ .   .  Backbone .
               . . . . . . . . . . .   .           .
        
                  VPLS-PE/VPWS-PE
                   Functionality       . . . . . . .
               . . . . . . . . . . .   .           .
               .                   .   .           .
       +----+  .  +----+    +----+ .   .  Service  .
       | CE |--.--|U-PE|----|N-PE|-.---.  Provider .
       +----+  .  +----+    +----+ .   .  Backbone .
               . . . . . . . . . . .   .           .
        
2.3.1. Entities in the Distributed PE Reference Models
2.3.1. 分布式PE参考模型中的实体

A VPLS-PE or a VPWS-PE functionality may be distributed to more than one device. The device closer to the customer/user is called the User-facing PE (U-PE), and the device closer to the core network is called Network-facing PE (N-PE).

VPLS-PE或VPWS-PE功能可以分发到多个设备。靠近客户/用户的设备称为面向用户的PE(U-PE),而靠近核心网络的设备称为面向网络的PE(N-PE)。

For further discussion, see Section 3.4.3.

有关进一步讨论,请参见第3.4.3节。

The terms "U-PE" and "N-PE" are defined in [RFC4026].

术语“U-PE”和“N-PE”的定义见[RFC4026]。

2.4. VPWS-PE and VPLS-PE
2.4. VPWS-PE和VPLS-PE

The VPWS-PE and VPLS-PE are functionally very similar, in that they both use forwarders to map attachment circuits to pseudowires. The only difference is that while the forwarder in a VPWS-PE does a one-to-one mapping between the attachment circuit and pseudowire, the forwarder in a VPLS-PE is a Virtual Switching Instance (VSI) that maps multiple attachment circuits to multiple pseudowires (for further discussion, see Section 3).

VPWS-PE和VPLS-PE在功能上非常相似,它们都使用转发器将连接电路映射到伪线。唯一的区别是,当VPWS-PE中的转发器在连接电路和伪线之间进行一对一映射时,VPLS-PE中的转发器是一个虚拟交换实例(VSI),它将多个连接电路映射到多个伪线(有关进一步的讨论,请参阅第3节)。

3. Functional Components of L2 VPN
3. l2vpn的功能组件

This section specifies a functional model for L2VPN, which allows one to break an L2VPN architecture down into its functional components. This exhibits the roles played by the various protocols and mechanisms, and thus makes it easier to understand the differences and similarities between various proposed L2VPN architectures.

本节指定L2VPN的功能模型,该模型允许将L2VPN体系结构分解为其功能组件。这展示了各种协议和机制所扮演的角色,因此更容易理解各种提议的L2VPN架构之间的异同。

Section 3.1 contains an overview of some different types of L2VPNs. In Section 3.2, functional components that are common to the different types are discussed. Then, there is a section for each of the L2VPN service types being considered. The latter sections discuss functional components, which may be specific to particular L2VPN types, and type-specific features of the generic components.

第3.1节概述了一些不同类型的L2VPN。在第3.2节中,讨论了不同类型的通用功能部件。然后,对正在考虑的每种L2VPN服务类型都有一个部分。后几节讨论功能组件(可能特定于特定L2VPN类型)以及通用组件的特定于类型的特性。

3.1. Types of L2VPN
3.1. L2VPN的类型

The types of L2VPN are distinguished by the characteristics of the service that they offer to the customers of the Service Provider (SP).

L2VPN的类型根据其向服务提供商(SP)的客户提供的服务的特点进行区分。

3.1.1. Virtual Private Wire Service (VPWS)
3.1.1. 虚拟专用线路服务(VPWS)

In a VPWS, each CE device is presented with a set of point-to-point virtual circuits.

在VPWS中,每个CE设备都有一组点对点虚拟电路。

The other end of each virtual circuit is another CE device. Frames transmitted by a CE on such a virtual circuit are received by the CE device at the other end-point of the virtual circuit. Forwarding from one CE device to another is not affected by the content of the frame, but is fully determined by the virtual circuit on which the frame is transmitted. The PE thus acts as a virtual circuit switch.

每个虚拟电路的另一端是另一个CE设备。在这样的虚拟电路上由CE发送的帧由虚拟电路的另一端的CE设备接收。从一个CE设备到另一个CE设备的转发不受帧内容的影响,而是完全由帧在其上传输的虚拟电路确定。因此,PE充当虚拟电路交换机。

This type of L2VPN has long been available over ATM and Frame Relay backbones. Providing this type of L2VPN over MPLS and/or IP backbones is the current topic.

这种类型的L2VPN长期以来都可以通过ATM和帧中继主干网使用。通过MPLS和/或IP主干网提供这种类型的L2VPN是当前的主题。

Requirements for this type of L2VPN are specified in [RFC4665].

[RFC4665]中规定了此类L2VPN的要求。

3.1.2. Virtual Private LAN Service (VPLS)
3.1.2. 虚拟专用局域网服务(VPLS)

In a VPLS, each CE device has one or more LAN interfaces that lead to a "virtual backbone".

在VPLS中,每个CE设备都有一个或多个通向“虚拟主干”的LAN接口。

Two CEs are connected to the same virtual backbone if and only if they are members of the same VPLS instance (i.e., same VPN). When a CE transmits a frame, the PE that receives it examines the MAC Destination Address field in order to determine how to forward the frame. Thus, the PE functions as a bridge. As Figure 3 indicates, if a set of PEs support a common VPLS instance, then there is an Emulated LAN, corresponding to that VPLS instance, to which each of those PE bridges attaches (via an emulated interface). From the perspective of a CE device, the virtual backbone is the set of PE bridges and the Emulated LAN on which they reside. Thus to a CE device, the LAN that attaches it to the PE is extended transparently over the routed MPLS and/or IP backbone.

当且仅当两个CE是同一VPLS实例(即同一VPN)的成员时,它们才连接到同一虚拟主干网。当CE发送帧时,接收它的PE检查MAC目的地地址字段以确定如何转发帧。因此,PE起着桥梁的作用。如图3所示,如果一组PE支持公共VPLS实例,则存在一个与该VPLS实例相对应的模拟LAN,每个PE网桥(通过模拟接口)都连接到该LAN。从CE设备的角度来看,虚拟主干是一组PE网桥和它们所在的模拟LAN。因此,对于CE设备,将其连接到PE的LAN在路由MPLS和/或IP主干上透明地扩展。

The PE bridge function treats the Emulated LAN as it would any other LAN to which it has an interface. Forwarding decisions are made in the manner that is normal for bridges, which is based on MAC Source Address learning.

PE网桥功能将模拟LAN视为与它有接口的任何其他LAN一样。转发决策是以网桥正常的方式做出的,这种方式基于MAC源地址学习。

VPLS is like VPWS in that forwarding is done without any consideration of the Layer3 header. VPLS is unlike VPWS in that:

VPLS与VPWS类似,因为转发是在不考虑第3层标头的情况下完成的。VPLS与VPWS的不同之处在于:

- VPLS allows the PE to use addressing information in a frame's L2 header to determine how to forward the frame; and

- VPLS允许PE使用帧的L2报头中的寻址信息来确定如何转发帧;和

- VPLS allows a single CE/PE connection to be used for transmitting frames to multiple remote CEs; in this particular respect, VPLS resembles L3VPN more than VPWS.

- VPLS允许单个CE/PE连接用于向多个远程CE传输帧;在这一特定方面,VPLS比VPWS更类似于L3VPN。

Requirements for this type of L2VPN are specified in [RFC4665].

[RFC4665]中规定了此类L2VPN的要求。

3.1.3. IP-Only LAN-Like Service (IPLS)
3.1.3. 仅限IP的类似LAN的服务(IPLS)

An IPLS is very like a VPLS, except that:

IPLS与VPLS非常相似,只是:

- it is assumed that the CE devices are hosts or routers, not switches; and

- 假设CE设备是主机或路由器,而不是交换机;和

- it is assumed that the service will only carry IP packets and supporting packets such as ICMP and ARP (in the case of IPv4) or Neighbor Discovery (in the case of IPv6); Layer 2 packets that do not contain IP are not supported.

- 假设该服务将仅承载IP数据包和支持数据包,如ICMP和ARP(在IPv4情况下)或邻居发现(在IPv6情况下);不支持不包含IP的第2层数据包。

While this service is a functional subset of the VPLS service, it is considered separately because it may be possible to provide it using different mechanisms, which may allow it to run on certain hardware platforms that cannot support the full VPLS functionality.

虽然该服务是VPLS服务的一个功能子集,但应单独考虑,因为可以使用不同的机制提供该服务,从而使其能够在无法支持完整VPLS功能的某些硬件平台上运行。

3.2. Generic L2VPN Transport Functional Components
3.2. 通用L2VPN传输功能组件

All L2VPN types must transport "frames" across the core network connecting the PEs. In all L2VPN types, a PE (PE1) receives a frame from a CE (CE1), and then transports the frame to a PE (PE2), which then transports the frame to a CE (CE2). In this section, we discuss the functional components that are necessary to transport L2 frames in any type of L2VPN service.

所有L2VPN类型必须通过连接PEs的核心网络传输“帧”。在所有L2VPN类型中,PE(PE1)从CE(CE1)接收帧,然后将帧传输到PE(PE2),然后PE(PE2)将帧传输到CE(CE2)。在本节中,我们将讨论在任何类型的L2VPN服务中传输L2帧所必需的功能组件。

3.2.1. Attachment Circuits
3.2.1. 连接电路

In any type of L2VPN, a CE device attaches to a PE device via some sort of circuit or virtual circuit. We will call this an "Attachment Circuit" (AC). We use this term very generally; an Attachment Circuit may be a Frame Relay DLCI, an ATM VPI/VCI, an Ethernet port, a VLAN, a PPP connection on a physical interface, a PPP session from

在任何类型的L2VPN中,CE设备通过某种电路或虚拟电路连接到PE设备。我们称之为“连接电路”(AC)。我们非常普遍地使用这个术语;连接电路可以是帧中继DLCI、ATM VPI/VCI、以太网端口、VLAN、物理接口上的PPP连接、来自的PPP会话

an L2TP tunnel, an MPLS LSP, etc. The CE device may be a router, a switch, a host, or just about anything, which the customer needs hooked up to the VPN. An AC carries a frame between CE and PE, or vice versa.

L2TP隧道、MPLS LSP等。CE设备可以是路由器、交换机、主机或客户需要连接到VPN的任何设备。AC在CE和PE之间承载帧,反之亦然。

Procedures for setting up and maintaining the ACs are out of scope of this architecture.

设置和维护ACs的程序不在此体系结构范围内。

These procedures are generally specified as part of the specification of the particular Attachment Circuit technology.

这些程序通常规定为特定附件电路技术规范的一部分。

Any given frame will traverse an AC from a CE to a PE, and then on another AC from a PE to a CE.

任何给定帧都将从CE到PE遍历一个AC,然后从PE到CE遍历另一个AC。

We refer to the former AC as the frame's "ingress AC" and to the latter AC as the frame's "egress AC". Note that this notion of "ingress AC" and "egress AC" is relative to a specific frame and denotes nothing more than the frame's direction of travel while it is on that AC.

我们将前一个AC称为帧的“入口AC”,将后一个AC称为帧的“出口AC”。请注意,“入口AC”和“出口AC”的概念是相对于特定帧的,只表示帧在该AC上时的行进方向。

3.2.2. Pseudowires
3.2.2. 假导线

A "Pseudowire" (PW) is a relation between two PE devices. Whereas an AC is used to carry a frame from CE to PE, a PW is used to carry a frame between two PEs. We use the term "pseudowire" in the sense of [RFC3985].

“伪线”(PW)是两个PE设备之间的关系。AC用于将帧从CE传送到PE,PW用于在两个PE之间传送帧。我们使用[RFC3985]意义上的术语“伪线”。

Setting up and maintaining the PWs is the job of the PEs. State information for a particular PW is maintained at the two PEs that are its endpoints, but not at other PEs, and not in the backbone routers (P routers).

设置和维护PWs是PEs的工作。特定PW的状态信息保存在作为其端点的两个PE上,但不在其他PE上,也不在主干路由器(P路由器)中。

Pseudowires may be point-to-point, multipoint-to-point, or point-to-multipoint. In this framework, point-to-point PWs are always considered bidirectional; multipoint-to-point and point-to-multipoint PWs are always considered unidirectional. Multipoint-to-point PWs can be used only when the PE receiving a frame does not need to infer, from the PW on which the frame was received, the identity of the frame's ingress AC. Point-to-multipoint PWs may be useful when frames need to be multicast.

伪导线可以是点对点、多点对点或点对多点。在这个框架中,点对点PWs总是被认为是双向的;多点对点和点对多点PWs始终被认为是单向的。仅当接收帧的PE不需要从接收帧的PW推断帧的入口AC的身份时,才可以使用多点对点PWs。当需要多播帧时,点对多点PWs可能有用。

Procedures for setting up and maintaining point-to-multipoint PWs are not considered in this version of this framework.

本框架版本不考虑设置和维护点对多点PWs的程序。

Any given frame travels first on its ingress AC, then on a PW, and then on its egress AC.

任何给定帧首先在其入口AC上移动,然后在PW上移动,然后在其出口AC上移动。

Multicast frames may be replicated by a PE, so of course the information carried in multicast frames may travel on more than one PW and more than one egress AC.

多播帧可由PE复制,因此当然多播帧中携带的信息可在多个PW和多个出口AC上传播。

Thus with respect to a given frame, a PW may be said to associate a number of ACs. If these ACs are of the same technology (e.g., both ATM, both Ethernet, both Frame Relay), the PW is said to provide "homogeneous transport"; otherwise it is said to provide "heterogeneous transport". Heterogeneous transport requires that some sort of interworking function be applied. There are at least three different approaches to interworking:

因此,关于给定帧,可以说PW与多个ac相关联。如果这些ACs具有相同的技术(例如,两个ATM、两个以太网、两个帧中继),则PW被称为提供“同质传输”;否则,它被称为提供“异构传输”。异构传输要求应用某种互通功能。至少有三种不同的互通方法:

1. One of the CEs may perform the interworking locally. For example, if CE1 attaches to PE1 via ATM, but CE2 attaches to PE2 via Ethernet, then CE1 may decide to send/receive Ethernet frames over ATM, using the RFC 2684, "LLC Encapsulation for Bridged Protocols". In such a case, PE1 would need to know that it is to terminate the ATM VC locally, and only to send/receive Ethernet frames over the PW.

1. 其中一个ce可以在本地执行互通。例如,如果CE1通过ATM连接到PE1,但是CE2通过以太网连接到PE2,那么CE1可以决定使用RFC 2684“桥接协议的LLC封装”通过ATM发送/接收以太网帧。在这种情况下,PE1需要知道它将在本地终止ATM VC,并且只在PW上发送/接收以太网帧。

2. One of the PEs may perform the interworking. For example, if CE1 attaches to PE1 via ATM, but CE2 attaches to PE2 via Frame Relay, PE1 may provide the "ATM/FR Service Interworking" function. This would be transparent to the CEs, and the PW would carry only Frame Relay frames.

2. 其中一个PE可以执行互通。例如,如果CE1通过ATM连接到PE1,但CE2通过帧中继连接到PE2,则PE1可以提供“ATM/FR服务互通”功能。这对CEs是透明的,PW将只携带帧中继帧。

3. IPLS could be used. In this case, the "frames" carried by the PW are IP datagrams, and the two PEs need to cooperate in order to spoof various L2-specific procedures used by IP (see Section 3.5).

3. 可以使用IPL。在这种情况下,PW携带的“帧”是IP数据报,两个PE需要合作以欺骗IP使用的各种L2特定程序(参见第3.5节)。

If heterogeneous PWs are used, the setup protocol must ensure that each endpoint knows the MTU of the remote AC. If the two ACs do not have the same MTU, one of the following three procedures must be carried out:

如果使用异构PW,则设置协议必须确保每个端点都知道远程AC的MTU。如果两个AC没有相同的MTU,则必须执行以下三个过程之一:

- The PW is not allowed to come up.

- 不允许出现PW。

- The endpoint at the AC with the larger MTU must reduce the AC's MTU so that it is the same as the MTU of the remote AC.

- 具有较大MTU的AC处的端点必须减少AC的MTU,使其与远程AC的MTU相同。

- The two endpoints must agree to use a specified fragmentation/reassembly procedure.

- 两个端点必须同意使用指定的碎片/重新组装程序。

3.2.3. Forwarders
3.2.3. 货代

In all types of L2VPN, a PE (say, PE1) receives a frame over an AC and forwards it over a PW to another PE (say, PE2). PE2 then forwards the frame out on another AC.

在所有类型的L2VPN中,PE(比如PE1)通过AC接收帧,然后通过PW将其转发给另一个PE(比如PE2)。然后,PE2将帧转发到另一个AC上。

The case in which PE1 and PE2 are the same device is an important case to handle correctly, in order to provide the L2VPN service properly. However, as this case does not require any protocol, we do not address it further in this document.

为了正确提供L2VPN服务,PE1和PE2是同一设备的情况是需要正确处理的重要情况。然而,由于本案例不需要任何协议,因此我们在本文件中不作进一步说明。

When PE1 receives a frame on a particular AC, it must determine the PW on which the frame must be forwarded. In general, this is done by considering:

当PE1在特定AC上接收到帧时,它必须确定帧必须在其上转发的PW。一般来说,这是通过考虑以下因素来实现的:

- the incoming AC;

- 输入交流电;

- possibly the contents of the frame's Layer2 header; and

- 可能是帧的Layer2头的内容;和

- possibly some forwarding information that may be statically or dynamically maintained.

- 可能是一些静态或动态维护的转发信息。

If dynamic or static forwarding information is considered, the information is specific to a particular L2VPN instance (i.e., to a particular VPN).

如果考虑动态或静态转发信息,则该信息特定于特定L2VPN实例(即特定VPN)。

Similarly, when PE2 receives a frame on a particular PW, it must determine the AC on which the frame must be forwarded. This is done by considering:

类似地,当PE2在特定PW上接收到帧时,它必须确定帧必须在其上转发的AC。这是通过考虑:

- the incoming PW;

- 输入PW;

- possibly the contents of the frame's Layer2 header; and

- 可能是帧的Layer2头的内容;和

- possibly some forwarding information that may be statically or dynamically maintained.

- 可能是一些静态或动态维护的转发信息。

If dynamic or static forwarding information is considered, the information is specific to a particular L2VPN instance (i.e., to a particular VPN).

如果考虑动态或静态转发信息,则该信息特定于特定L2VPN实例(即特定VPN)。

The procedures used to make the forwarding decision are known as a "forwarder". We may think of a PW as being "bound", at each of its endpoints, to a forwarder. The forwarder in turn "binds" the PWs to ACs. Different types of L2VPN have different types of forwarders.

作出转运决定的程序称为“转运人”。我们可能认为PW在其每个端点与转发器“绑定”。转发器反过来将PWs“绑定”到ACs。不同类型的L2VPN有不同类型的转发器。

For instance, a forwarder may bind a single AC to a single PW, ignoring all frame contents and using no other forwarding information. Or a forwarder may bind an AC to a set of PWs and ACs, moving individual frames from AC to PW, from a PW to an AC or from AC to AC by comparing information from the frame's Layer2 header to information in a forwarding database. This is discussed in more detail below, as we consider the different L2VPN types.

例如,转发器可以将单个AC绑定到单个PW,忽略所有帧内容,并且不使用其他转发信息。或者,转发器可以将AC绑定到一组PW和AC,通过将来自帧的Layer2报头的信息与转发数据库中的信息进行比较,将单个帧从AC移动到PW、从PW移动到AC或从AC移动到AC。这将在下面更详细地讨论,因为我们考虑不同的L2VPN类型。

3.2.4. Tunnels
3.2.4. 隧道

A PW is carried in a "tunnel" from PE1 to PE2. We assume that an arbitrary number of PWs may be carried in a single tunnel; the only requirement is that the PWs all terminate at PE2.

PW在从PE1到PE2的“隧道”中运输。我们假设任意数量的PW可在单个隧道中运输;唯一的要求是PWs均在PE2处终止。

We do not even require that all the PWs in the tunnel originate at PE1; the tunnels may be multipoint-to-point tunnels. Nor do we require that all PWs between the same pair of PEs travel in the same tunnel. All we require is that when a frame traveling through such a tunnel arrives at PE2, PE2 will be able to associate it with a particular PW.

我们甚至不要求隧道中的所有PW源自PE1;隧道可以是多点对点隧道。我们也不要求同一对PEs之间的所有PW在同一隧道中运行。我们所需要的是,当一个框架通过这样一个隧道到达PE2时,PE2将能够将它与一个特定的PW相关联。

(While one can imagine tunneling techniques that only allow one PW per tunnel, they have evident scalability problems, and we do not consider them further.)

(虽然可以想象隧道技术只允许每个隧道一个PW,但是它们有明显的可伸缩性问题,我们不考虑它们。)

A variety of different tunneling technologies may be used for the PE-PE tunnels. All that is really required is that the tunneling technologies allow the proper demultiplexing of the contained PWs. The tunnels might be MPLS LSPs, L2TP tunnels, IPsec tunnels, MPLS-in-IP tunnels, etc. Generally the tunneling technology will require the use of an encapsulation that contains a demultiplexor field, where the demultiplexor field is used to identify a particular PW. Procedures for setting up and maintaining the tunnels are not within the scope of this framework. (But see Section 3.2.6, "Pseudowire Signaling".)

PE-PE隧道可采用多种不同的隧道技术。真正需要的是,隧道技术允许对包含的PW进行适当的解复用。隧道可能是MPLS LSP、L2TP隧道、IPsec隧道、IP隧道中的MPLS等。通常,隧道技术需要使用包含解复用器字段的封装,其中解复用器字段用于识别特定PW。设置和维护隧道的程序不在本框架的范围内。(但请参见第3.2.6节“伪线信号”。)

If there are multiple tunnels from PE1 to PE2, it may be desirable to assign a particular PE1-PE2 PW to a particular tunnel based on some particular characteristics of the PW and/or the tunnel. For example, perhaps different tunnels are associated with different QoS characteristics, and different PWs require different QoS. Procedures for specifying how to assign PWs to tunnels are out of scope of the current framework.

如果有多个从PE1到PE2的隧道,则可能需要基于PW和/或隧道的某些特定特征将特定PE1-PE2 PW分配给特定隧道。例如,可能不同的隧道与不同的QoS特征相关联,并且不同的pw需要不同的QoS。指定如何将PWs分配给隧道的程序超出了当前框架的范围。

Though point-to-point PWs are bidirectional, the tunnels in which they travel need not be either bidirectional or point-to-point. For example, a point-to-point PW may travel within a unidirectional multipoint-to-point MPLS LSP.

尽管点到点PWs是双向的,但它们运行的隧道不需要双向或点到点。例如,点到点PW可以在单向多点到点MPLS LSP内移动。

3.2.5. Encapsulation
3.2.5. 封装

As L2VPN packets are carried in pseudowires, standard pseudowire encapsulation formats and techniques (as specified by the IETF's PWE3 WG) should be used wherever applicable.

由于L2VPN数据包以伪线传输,因此应在适用的情况下使用标准伪线封装格式和技术(如IETF的PWE3 WG所规定)。

Generally the PW encapsulations will themselves be encapsulated within a tunnel encapsulation, as determined by the specification of the tunneling protocol.

通常,PW封装本身将封装在隧道封装中,这由隧道协议的规范确定。

It may be necessary to define additional PW encapsulations to cover areas that are of importance for L2VPN, but that may not be within the scope of PWE3. Heterogeneous transport may be an instance of this.

可能需要定义额外的PW封装,以覆盖对L2VPN非常重要的区域,但这可能不在PWE3的范围内。异构传输可能就是一个例子。

3.2.6. Pseudowire Signaling
3.2.6. 伪线信号

Procedures for setting up and maintaining the PWs themselves are within the scope of this framework. This includes procedures for distributing demultiplexor field values, even though the demultiplexor field, strictly speaking, belongs to the tunneling protocol and not to the PW.

PWs本身的设置和维护程序在本框架范围内。这包括分配解复用器字段值的过程,即使严格来说,解复用器字段属于隧道协议而不属于PW。

The signaling for a point-to-point pseudowire must perform the following functions:

点到点伪线的信令必须执行以下功能:

- Distribution of the demultiplexor.

- 解复用器的分布。

Since many PWs may be carried in a single tunnel, the tunneling protocol must assign a demultiplexor value to each PW. These demultiplexors must be unique with respect to a given tunnel (or, with some tunneling technologies, unique at the egress PE). Generally, the PE that is the egress of the tunnel will select the demultiplexor values and will distribute them to the PE(s) which is (are) the ingress(es) of the tunnel. This is the essential part of the PW setup procedure.

由于许多PW可以在单个隧道中传输,隧道协议必须为每个PW分配一个解复用器值。对于给定的隧道,这些解复用器必须是唯一的(或者,对于某些隧道技术,在出口PE处是唯一的)。通常,作为隧道出口的PE将选择解复用器值,并将其分配给作为隧道入口的PE。这是PW设置程序的基本部分。

Note that, as is usually the case in tunneling architectures, the demultiplexor field belongs to the tunneling protocol, not to the protocol being tunneled. For this reason, the PW setup protocols may be extensions of the control protocols for setting up the tunnels.

注意,与隧道架构中的通常情况一样,解复用器字段属于隧道协议,而不是被隧道的协议。因此,PW设置协议可以是用于设置隧道的控制协议的扩展。

- Selection of the Forwarder at the remote PE.

- 选择远程PE的转发器。

The signaling protocol must contain enough information to enable the remote PE to select the proper forwarder to which the PW is to be bound. We can call this information the "Remote Forwarder

信令协议必须包含足够的信息,以使远程PE能够选择PW要绑定到的适当转发器。我们可以将此信息称为“远程转发器”

Selector". The information that is required will depend on the type of L2VPN being provided and on the provisioning model being used (see Sections 3.3.1 and 3.4.2). The Remote Forwarder Selector may uniquely identify a particular Forwarder, or it may identify an attribute of Forwarders. In the latter case, it would select whichever Forwarder has been provisioned with that attribute.

选择器”。所需的信息将取决于所提供的L2VPN类型和所使用的配置模型(见第3.3.1节和第3.4.2节)。远程转发器选择器可以唯一标识特定转发器,也可以标识转发器的属性。在后一种情况下,它将选择已设置该属性的转发器。

- Supporting pseudowire emulations.

- 支持伪线仿真。

To the extent that a particular PW must emulate the signaling of a particular Layer2 technology, the PW signaling must provide the necessary functions.

特定PW必须模拟特定Layer2技术的信令,因此PW信令必须提供必要的功能。

- Distribution of state changes.

- 状态变化的分布。

Changes in the state of an AC may need to be reflected in changes to the state of the PW to which the AC is bound, and vice versa. The specification as to which changes need to be reflected in what way would generally be within the province of the PWE3 WG.

AC状态的变化可能需要反映在AC绑定到的PW状态的变化中,反之亦然。关于哪些变更需要以何种方式反映的规范通常在PWE3工作组的范围内。

- Establishing pseudowire characteristics.

- 建立伪线特征。

To the extent that one or more characteristics of a PW must be known to and/or agreed upon by both endpoints, the signaling must allow for the necessary interaction.

如果两个端点必须知道和/或同意PW的一个或多个特征,则信令必须允许必要的交互。

As specified above, signaling for point-to-point PWs must pass enough information to allow a remote PE to properly bind a PW to a Forwarder, and to associate a particular demultiplexor value with that PW. Once the two PEs have done the proper PW/Forwarder bindings, and have agreed on the demultiplexor values, the PW may be considered set up. If it is necessary to negotiate further characteristics or parameters of a particular PW, or to pass status information for a particular PW, the PW may be identified by the demultiplexor value.

如上所述,点到点PWs的信令必须传递足够的信息,以允许远程PE将PW正确绑定到转发器,并将特定解复用器值与该PW关联。一旦两个PE完成了正确的PW/转发器绑定,并就解复用器值达成一致,就可以考虑设置PW。如果有必要协商特定PW的进一步特征或参数,或传递特定PW的状态信息,则可通过解复用器值来识别PW。

Signaling procedures for point-to-point pseudowires are most commonly point-to-point procedures that are executed by the two PW endpoints. There are, however, proposals to use point-to-multipoint signaling for setting up point-to-point pseudowires, so this is included in the framework. When PWs are themselves point-to-multipoint, it is also possible to use either point-to-point signaling or point-to-multipoint signaling to set them up. This is discussed in the remainder of this section.

点到点伪线的信令过程通常是由两个PW端点执行的点到点过程。然而,有人建议使用点对多点信令来建立点对点伪线,因此这包括在框架中。当PW本身是点对多点时,也可以使用点对点信令或点对多点信令来设置它们。这将在本节的其余部分讨论。

3.2.6.1. Point-to-Point Signaling
3.2.6.1. 点对点信令

There are several ways to do the necessary point-to-point signaling. Among them are:

有几种方法可以执行必要的点到点信令。其中包括:

- LDP

- 自民党

LDP [RFC3036] extensions can be defined for pseudowire signaling. This form of signaling can be used for pseudowires that are to be carried in MPLS "tunnels", or in MPLS-in-something-else tunnels.

LDP[RFC3036]扩展可以为伪线信令定义。这种形式的信令可用于将在MPLS“隧道”或其他隧道中的MPLS中承载的伪线。

- L2TP

- L2TP

L2TP [RFC2661] can be used for pseudowire signaling, resulting in pseudowires that are carried as "sessions" within L2TP tunnels. Pseudowire-specific extensions to L2TP may also be needed.

L2TP[RFC2661]可用于伪线信令,从而产生在L2TP隧道中作为“会话”承载的伪线。还可能需要L2TP的伪线特定扩展。

Other methods may be possible as well.

也可以采用其他方法。

It is possible to have one control connection between a pair of PEs, which is used to control many PWs.

一对PEs之间可以有一个控制连接,用于控制多个PW。

The use of point-to-point signaling for setting up point-to-point PWs is straightforward. Multipoint-to-point PWs can also be set up by point-to-point signaling, as the remote PEs do not necessarily need to know whether the PWs are multipoint-to-point or point-to-point. In some signaling procedures, the same demultiplexor value may be assigned to all the remote PEs.

使用点对点信令来建立点对点PWs非常简单。也可以通过点对点信令设置多点对点PWs,因为远程PEs不一定需要知道PWs是多点对点还是点对点。在一些信令过程中,可以将相同的解复用器值分配给所有远程PE。

3.2.6.2. Point-to-Multipoint Signaling
3.2.6.2. 点对多点信令

Consider the following conditions:

考虑以下条件:

- It is necessary to set up a set of PWs, all of which have the same characteristics.

- 有必要建立一套PWs,所有PWs都具有相同的特性。

- It is not necessary to use the PW signaling protocol to pass PW state changes.

- 无需使用PW信令协议来传递PW状态更改。

- For each PW in the set, the same value of the Remote Forwarder Selector can be used.

- 对于集合中的每个PW,可以使用相同的远程转发器选择器值。

Call these the "Environmental Conditions".

称之为“环境条件”。

Suppose also that there is some mechanism by which, given a range of demultiplexor values, each of a set of PEs can make a unique and

还假设存在某种机制,通过该机制,给定一系列解复用器值,一组PE中的每一个都可以生成唯一的

deterministic selection of a single value from within that range. Call this the "Demultiplexor Condition". Alternatively, suppose that one is trying to set up a multipoint-to-point PW rather than to set up a point-to-point PW. Call this the "Multipoint Condition".

从该范围内确定单个值的选择。称之为“解复用器条件”。或者,假设一个人正试图建立一个多点对点的PW,而不是建立一个点对点的PW。称之为“多点条件”。

If:

如果:

- The Environmental Conditions hold; and

- 环境条件保持不变;和

- Either

- 任何一个

* the Demultiplexor Condition holds, or

* 解复用器条件保持不变,或

* the Multipoint Condition holds,

* 多点条件成立,

then for a given set of PWs that terminate at egress PE1, the information that PE1 needs to send to the ingress PE(s) of each pseudowire in the set is exactly the same. All the ingress PE(s) receive the same Forwarder Selector value. They all receive the same set of PW parameters (if any). And either they all receive the same demultiplexor value (if the PW is multipoint-to-point) or they all receive a range of demultiplexor values from which each can choose a unique demultiplexor value for itself.

然后,对于在出口PE1处终止的给定pw集合,PE1需要发送到集合中每个伪线的入口PE的信息完全相同。所有入口PE接收相同的转发器选择器值。它们都接收相同的PW参数集(如果有)。或者它们都接收相同的解复用器值(如果PW是多点对点的),或者它们都接收一系列解复用器值,每个值都可以从中为自己选择唯一的解复用器值。

Rather than connect to each ingress PE and replicate the same information, it may make sense either to multicast the information, or to send the information once to a "reflector", which will then take responsibility for distributing the information to the other PEs.

与其连接到每个入口PE并复制相同的信息,不如将信息多播,或者将信息发送一次到“反射器”,反射器随后负责将信息分发到其他PE。

We refer to this sort of technique as "point-to-multipoint" signaling. It would, for example, be possible to use BGP [RFC1771] to do the signaling, with PEs that are BGP peers not of each other, but of one or more BGP route reflectors [RFC2796].

我们将这种技术称为“点对多点”信令。例如,可以使用BGP[RFC1771]进行信令,其中PE不是彼此的BGP对等方,而是一个或多个BGP路由反射器[RFC2796]的对等方。

3.2.6.3. Inter-AS Considerations
3.2.6.3. 作为考虑因素的国际货币基金组织

Pseudowires may need to run from a PE in one Service Provider's network to a PE in another Service Provider's network. This has the following implications:

伪线可能需要从一个服务提供商网络中的PE运行到另一个服务提供商网络中的PE。这有以下影响:

- The signaling protocol that sets up the PWs must be able to cross network boundaries. Of course, all IP-based protocols have this capability.

- 设置PWs的信令协议必须能够跨越网络边界。当然,所有基于IP的协议都具有这种能力。

- The two PEs at the PW endpoints must be addressable and routable from each other.

- PW端点处的两个PE必须可寻址,并且彼此可路由。

- The signaling protocol needs to allow each PW endpoint to authenticate the other. To make use of the authentication capability, there would also need to be some method of key distribution that is acceptable to both administrations.

- 信令协议需要允许每个PW端点对另一个进行身份验证。为了利用身份验证功能,还需要某种双方都能接受的密钥分发方法。

3.2.7. Service Quality
3.2.7. 服务质量

Service Quality refers to the ability for the network to deliver a Service level Specification (SLS) for service attributes such as protection, security, and Quality of Service (QoS). The service quality provided depends on the subscriber's requirements and can be characterized by a number of performance metrics.

服务质量是指网络为服务属性(如保护、安全和服务质量(QoS))提供服务级别规范(SLS)的能力。所提供的服务质量取决于订户的需求,并可通过许多性能指标来表征。

The necessary Service Quality must be provided on the ACs, as well as on the PWs. Mechanisms for providing Service Quality on the PWs may be PW-specific or tunnel-specific; in the latter case, the assignment of a PW to a tunnel may depend on the Service Quality.

必须在ACs和PWs上提供必要的服务质量。在PWs上提供服务质量的机制可能是特定于PW或特定于隧道的;在后一种情况下,将PW分配给隧道可能取决于服务质量。

3.2.7.1. Quality of Service (QoS)
3.2.7.1. 服务质量(QoS)

QoS describes the queuing behavior applied to a particular "flow", in order to achieve particular goals of precedence, throughput, delay, jitter, etc.

QoS描述应用于特定“流”的排队行为,以实现优先级、吞吐量、延迟、抖动等特定目标。

Based on the customer Service Level Agreement (SLA), traffic from a customer can be prioritized, policed, and shaped for QoS requirements. The queuing and forwarding policies can preserve the packet order and QoS parameters of customer traffic. The class of services can be mapped from information in the customer frames, or it can be independent of the frame content.

根据客户服务水平协议(SLA),可以根据QoS要求对来自客户的流量进行优先级划分、策略和形状调整。排队和转发策略可以保持客户流量的数据包顺序和QoS参数。服务类别可以从客户框架中的信息映射,也可以独立于框架内容。

QoS functions can be listed as follows:

QoS功能可列出如下:

- Customer Traffic Prioritization: L2VPN services could be best effort or QoS guaranteed. Traffic from one customer might need to be prioritized over others when sharing same network resources. This requires capabilities within the L2VPN solution to classify and mark priority to QoS guaranteed customer traffic.

- 客户流量优先级:L2VPN服务可以尽最大努力或保证QoS。共享相同的网络资源时,可能需要优先考虑来自一个客户的流量。这需要L2VPN解决方案中的功能来分类和标记QoS保证的客户流量的优先级。

- Proper queuing behavior would be needed at the egress AC, and possibly within the backbone network as well. If queuing behavior must be controlled within the backbone network, the control might be based on CoS information in the MPLS or IP header, or it might be achieved by nesting particular tunnels within particular traffic engineering tunnels.

- 在出口AC处需要适当的排队行为,也可能在主干网内。如果必须在主干网内控制排队行为,则控制可能基于MPLS或IP报头中的CoS信息,或者可以通过在特定流量工程隧道中嵌套特定隧道来实现。

- Policing: This ensures that a user of L2VPN services uses network resources within the limits of the agreed SLA. Any excess L2VPN traffic can be rejected or handled differently based on provider policy.

- 策略:这确保L2VPN服务的用户在商定的SLA限制内使用网络资源。根据提供商策略,可以拒绝或以不同方式处理任何多余的L2VPN流量。

- Policing would generally be applied at the ingress AC.

- 通常在入口AC处实施监管。

- Shaping: Under some cases, the random nature of L2VPN traffic might lead to sub-optimal utilization of network resources. Through queuing and forwarding mechanisms, the traffic can be shaped without altering the packet order.

- 成形:在某些情况下,L2VPN流量的随机性可能导致网络资源的次优利用。通过排队和转发机制,可以在不改变数据包顺序的情况下调整流量。

- Shaping would generally be applied at the ingress AC.

- 成型通常应用于入口AC。

3.2.7.2. Resiliency
3.2.7.2. 弹性

Resiliency describes the ability of the L2VPN infrastructure to protect a flow from network outage, so that service remains available in the presence of failures.

弹性描述了L2VPN基础设施保护流不受网络中断影响的能力,以便在出现故障时服务仍然可用。

L2VPN, like any other service, is subject to failures such as link, trunk, and node failures, both in the SP's core network infrastructure and on the ACs.

L2VPN与任何其他服务一样,在SP的核心网络基础设施和ACs上都会发生链路、中继和节点故障等故障。

It is desirable that the failure be detected "immediately" and that protection mechanisms allow fast restoration times to make L2VPN service almost transparent to these failures to the extent possible, based on the level of resiliency. Restoration should take place before the CEs can react to the failure. Essential aspects of providing resiliency are:

理想的做法是“立即”检测到故障,并且保护机制允许快速恢复时间,以便根据弹性级别,尽可能使L2VPN服务对这些故障几乎透明。应在CEs对故障作出反应之前进行恢复。提供弹性的基本方面包括:

- Link/Node failure detection: Mechanisms within the L2VPN service should allow for link or node failures that impact the service, and that should be detected immediately.

- 链路/节点故障检测:L2VPN服务中的机制应允许影响服务的链路或节点故障,并且应立即检测。

- Resiliency policy: The way in which a detected failure is handled will depend on the restoration policy of the SLA associated with the L2VPN service specification. It may need to be handled immediately, or it may need to be handled only if no other critical failure needs protection resources, or it may be completely ignored if it is within the bounds of the "acceptable downtime" allowed by the L2VPN service.

- 弹性策略:处理检测到的故障的方式将取决于与L2VPN服务规范相关联的SLA的恢复策略。它可能需要立即处理,或者只有在没有其他关键故障需要保护资源时才需要处理,或者如果在L2VPN服务允许的“可接受停机时间”范围内,则可能完全忽略它。

- Restoration Mechanisms: The L2VPN solutions could allow for physical level protection, logical level protection, or both. For example, by connecting customers over redundant and

- 恢复机制:L2VPN解决方案可以支持物理级保护、逻辑级保护或两者兼有。例如,通过冗余和冗余连接客户

physically separate ACs to different provider customer-facing devices, one AC can be maintained as active, and the other could be marked as a backup; upon the failure detection across the primary AC, the backup could become active.

将ACs与不同的供应商面向客户的设备进行物理分离,一个AC可以保持为活动,另一个可以标记为备份;在主AC上检测到故障后,备份可能会变为活动状态。

To a great extent, resiliency is a matter of having appropriate failure and recovery mechanisms in the network core, including "ordinary" adaptive routing as well as "fast reroute" capabilities. The ability to support redundant ACs between CEs and PEs also plays a role.

在很大程度上,恢复能力是指在网络核心中具有适当的故障和恢复机制,包括“普通”自适应路由以及“快速重路由”功能。支持CEs和PEs之间冗余ACs的能力也发挥了作用。

3.2.8. Management
3.2.8. 经营

An L2VPN solution can provide mechanisms to manage and monitor different L2VPN components. From a Service Level Agreement (SLA) perspective, L2VPN solutions could allow monitoring of L2VPN service characteristics and offer mechanisms used by Service Providers to report such monitored statistical data. Trouble-shooting and verification of operational and maintenance activities of L2VPN services are essential requirements for Service Providers.

L2VPN解决方案可以提供管理和监视不同L2VPN组件的机制。从服务级别协议(SLA)的角度来看,L2VPN解决方案可以监控L2VPN服务特性,并提供服务提供商用于报告此类监控统计数据的机制。L2VPN服务运营和维护活动的故障排除和验证是服务提供商的基本要求。

3.3. VPWS
3.3. VPWS

A VPWS is an L2VPN service in which each forwarder binds exactly one AC to exactly one PW. Frames received on the AC are transmitted on the PW; frames received on the PW are transmitted on the AC. The content of a frame's Layer2 header plays no role in the forwarding decision, except insofar as the Layer2 header contents are used to associate the frame with a particular AC (e.g., the DLCI field of a Frame Relay frame identifies the AC).

VPWS是一种L2VPN服务,其中每个转发器将恰好一个AC绑定到恰好一个PW。在AC上接收的帧在PW上传输;在PW上接收的帧在AC上传输。帧的Layer2报头的内容在转发决策中不起作用,除非Layer2报头内容用于将帧与特定AC关联(例如,帧中继帧的DLCI字段标识AC)。

A particular combination of <AC, PW, AC> forms a "virtual circuit" between two CE devices.

<AC,PW,AC>的特定组合在两个CE设备之间形成“虚拟电路”。

A particular VPN (VPWS instance) may be thought of as a collection of such virtual circuits, or as an "overlay" of PWs on the MPLS or IP backbone. This creates an overlay topology that is in effect the "virtual backbone" of a particular VPN.

特定VPN(VPWS实例)可被视为此类虚拟电路的集合,或被视为MPLS或IP主干上PW的“覆盖”。这将创建一个覆盖拓扑,实际上是特定VPN的“虚拟主干网”。

Whether two virtual circuits are said to belong to the same VPN or not is an administrative matter based on the agreements between the SPs and their customers. This may impact the provisioning model (discussed below). It may also affect how particular PWs are assigned to tunnels, the way QoS is assigned to particular ACs and PWs, etc.

两个虚拟电路是否属于同一VPN是一个基于SP与其客户之间协议的管理问题。这可能会影响资源调配模型(如下所述)。它还可能影响特定PW分配给隧道的方式,QoS分配给特定ACs和PW的方式,等等。

Note that VPWS makes use of point-to-point PWs exclusively.

请注意,VPWS专门使用点到点PWs。

3.3.1. Provisioning and Auto-Discovery
3.3.1. 资源调配和自动发现

Provisioning a VPWS is a matter of:

提供VPWS的问题包括:

1. Provisioning the ACs;

1. 提供ACs;

2. Providing the PEs with the necessary information to enable them to set up PWs between ACs to result in the desired overlay topology; and

2. 向PEs提供必要的信息,使其能够在ACs之间建立PWs,从而形成所需的覆盖拓扑;和

3. Configuring the PWs with any necessary characteristics.

3. 配置具有任何必要特性的PWs。

3.3.1.1. Attachment Circuit Provisioning
3.3.1.1. 连接电路供应

In many cases, the ACs must be individually provisioned on the PE and/or CE. This will certainly be the case if the CE/PE attachment technology is a switched network, such as ATM or FR, and the VCs are PVCs rather than SVCs. It is also the case whenever the individual Attachment Circuits need to be given specific parameters (e.g., QoS parameters, guaranteed bandwidth parameters) that differ from circuit to circuit.

在许多情况下,必须在PE和/或CE上单独设置ACs。如果CE/PE连接技术是交换网络,如ATM或FR,并且VCs是PVC而不是SVC,则肯定会出现这种情况。每当需要为各个连接电路提供不同于电路的特定参数(例如,QoS参数、保证带宽参数)时,情况也是如此。

There are also cases in which ACs might not have to be individually provisioned. For example, if an AC is just an MPLS LSP running between a CE and a PE, it could be set up as the RESULT of setting up a PW rather than having to be provisioned BEFORE the PW can be set up. The same may apply whenever the AC is a Switched Virtual Circuit of any sort, though in this case, various policy controls might need to be provisioned; e.g., limiting the number of ACs that can be set up between a given CE and a given PE.

在某些情况下,可能不需要单独设置ACs。例如,如果AC只是在CE和PE之间运行的MPLS LSP,则可以将其设置为设置PW的结果,而不必在设置PW之前进行设置。每当AC是任何种类的交换虚拟电路时,相同的情况都可以应用,尽管在这种情况下,可能需要提供各种策略控制;e、 例如,限制可在给定CE和给定PE之间设置的AC数量。

Issues such as whether the Attachment Circuits need to be individually provisioned or not, whether they are Switched VCs or Permanent VCs, and what sorts of policy controls may be applied are implementation and deployment issues and are considered to be out of scope of this framework.

诸如附件电路是否需要单独设置、它们是交换vc还是永久vc、以及可以应用何种策略控制等问题属于实施和部署问题,被认为不在本框架的范围内。

3.3.1.2. PW Provisioning for Arbitrary Overlay Topologies
3.3.1.2. 任意覆盖拓扑的PW配置

In order to support arbitrary overlay topologies, it is necessary to allow the provisioning of individual PWs. In this model, when a PW is provisioned on a PE device, it is locally bound to a specific AC. It is also provisioned with information that identifies a specific AC at a remote PE.

为了支持任意覆盖拓扑,有必要允许提供单个PW。在此模型中,当在PE设备上配置PW时,它将本地绑定到特定AC。它还配置有标识远程PE上特定AC的信息。

There are basically two variations of this provisioning model:

此资源调配模型基本上有两种变体:

- Two-sided provisioning

- 双边供应

With two-sided provisioning, each PE that is at the end of a PW is provisioned with the following information:

通过双边资源调配,位于PW末尾的每个PE都将配置以下信息:

* Identifier of the Local AC to which the PW is to be bound

* PW要绑定到的本地AC的标识符

* PW type and parameters

* PW类型和参数

* IP address of the remote PE (i.e., the PE that is to be at the remote end of the PW)

* 远程PE的IP地址(即位于PW远程端的PE)

* Identifier that is meaningful to the remote PE, and that can be passed in the PW signaling protocol to enable the remote PE to bind the PW to the proper AC. This can be an identifier of the PW or an identifier of the remote AC. If a PW identifier is used, it must be unique at each of the two PEs. If an AC identifier is used, it need only be unique at the remote PE.

* 对远程PE有意义的标识符,可在PW信令协议中传递,以使远程PE能够将PW绑定到适当的AC。这可以是PW的标识符或远程AC的标识符。如果使用PW标识符,则在两个PE中的每一个都必须是唯一的。如果使用AC标识符,则它只需在远程PE上是唯一的。

This identifier is then used as the Remote Forwarder Selector when signaling is done (see 3.2.6.1).

当发送信号时,该标识符用作远程转发器选择器(见3.2.6.1)。

- Single-sided provisioning

- 单边资源调配

With single-sided provisioning, a PE at one end of a PW is provisioned with the following information:

通过单边供应,PW一端的PE供应以下信息:

* Identifier of the Local AC to which the PW is to be bound

* PW要绑定到的本地AC的标识符

* PW type and parameters

* PW类型和参数

* Globally unique identifier of remote AC

* 远程AC的全局唯一标识符

This identifier is then used as the Forwarder Selector when signaling is done (see section 3.2.6.1).

当发送信号时,该标识符用作转发器选择器(见第3.2.6.1节)。

In this provisioning model, the IP address of the remote PE is not provisioned. Rather, the assumption is that an auto-discovery scheme will be used to map the globally unique identifier to the IP address of the remote PE, along with an identifier (perhaps unique only at the latter PE) for an AC at that PE. The PW signaling protocol can then make a connection to the remote PE, passing the AC identifier, so that the remote PE binds the PW to the proper AC.

在此配置模型中,未配置远程PE的IP地址。相反,假设将使用自动发现方案将全局唯一标识符映射到远程PE的IP地址,以及该PE处AC的标识符(可能仅在后一个PE处唯一)。然后,PW信令协议可以连接到远程PE,传递AC标识符,以便远程PE将PW绑定到适当的AC。

This scheme requires provisioning of the PW at only one PE, but it does not eliminate the need (if there is a need) to provision the ACs at both PEs.

该方案只需要在一个PE上提供PW,但并不消除在两个PE上提供ACs的需要(如果需要)。

These provisioning models fit well with the use of point-to-point signaling. When each PW is individually provisioned, as the conditions necessary for the use of point-to-multipoint signaling do not hold.

这些供应模型非常适合使用点到点信令。当每个PW单独设置时,因为使用点对多点信令所需的条件不成立。

3.3.1.3. Colored Pools PW Provisioning Model
3.3.1.3. 彩色池PW配置模型

Suppose that at each PE, sets of ACs are gathered together into "pools", and that each such pool is assigned a "color". (For example, a pool might contain all and only the ACs from this PE to a particular CE.) Now suppose that we impose the following rule: whenever PE1 and PE2 have a pool of the same color, there will be a PW between PE1 and PE2 that is bound at PE1 to an arbitrarily chosen AC from that pool, and at PE2 to an arbitrarily chosen AC from that pool. (We do not rule out the case where a single PE has multiple pools of a given color.)

假设在每个PE处,ACs集合在一起形成“池”,并且每个这样的池被分配一个“颜色”。(例如,一个池可能包含从该PE到特定CE的所有且仅包含ACs。)现在假设我们实施以下规则:每当PE1和PE2具有相同颜色的池时,PE1和PE2之间将存在一个PW,该PW在PE1处绑定到该池中任意选择的AC,在PE2处绑定到该池中任意选择的AC。(我们不排除单个PE具有多个给定颜色池的情况。)

For example, each pool in a particular PE might represent a particular CE device, for which the ACs in the pool are the ACs connecting that CE to that PE. The color might be a VPN-id. Application of this provisioning model would then lead to a full CE-to-CE mesh within the VPN, where every CE in the VPN has a virtual circuit to every other CE within the VPN.

例如,特定PE中的每个池可能代表一个特定CE设备,池中的ACs是将该CE连接到该PE的ACs。颜色可能是VPN-id。应用此配置模型将在VPN内形成完整的CE-to-CE网格,其中VPN中的每个CE与VPN内的每个其他CE都有一个虚拟电路。

More specifically, to provision VPWS according to this model, one provisions a set of pools and configures each pool with the following information:

更具体地说,要根据此模型提供VPW,需要提供一组池,并使用以下信息配置每个池:

- The set of ACs that belong to the pool (with no AC belonging to more than one pool)

- 属于池的一组AC(没有属于多个池的AC)

- The color

- 颜色

- A pool identifier that is unique at least relative to the color.

- 至少相对于颜色是唯一的池标识符。

An auto-discovery procedure is then used to map each color into a list of ordered pairs <IP address of PE, pool id>. The occurrence of a pair <X, Y> on this list means that the PE at IP address X has a pool with pool id Y, which is of the specified color.

然后使用自动发现过程将每种颜色映射到有序对的列表中<PE的IP地址,池id>。此列表中出现一对<X,Y>表示IP地址X处的PE有一个池id为Y的池,该池具有指定的颜色。

This information can be used to support several different signaling techniques. One possible technique proceeds as follows:

该信息可用于支持几种不同的信令技术。一种可能的技术如下所述:

- A PE finds that it has a pool of color C.

- PE发现它有一个C色池。

- Using auto-discovery, it obtains the set of ordered pairs <X,Y> for color C.

- 使用自动发现,它获得颜色C的有序对集<X,Y>。

- For each such pair <X,Y>, it:

- 对于每一对<X,Y>,它:

* removes an AC from the pool;

* 从池中移除AC;

* binds the AC to a particular PW; and

* 将AC绑定到特定PW;和

* signals PE X via point-to-point signaling that the PW is to be bound to an AC from pool Y.

* 通过点对点信令向PE X发送信号,表示PW将绑定到来自池Y的AC。

Another possible signaling technique is the following:

另一种可能的信令技术如下:

- A PE finds that it has a pool of color C, containing n ACs.

- PE发现它有一个C色池,其中包含n个AC。

- It binds each AC to a PW, creating a set of PWs. This set of PWs is then organized into a sequence. (For instance, each PW may be associated with a demultiplexor field value, and the PWs may then be sequenced according to the numerical value of their respective demultiplexors.)

- 它将每个AC绑定到一个PW,从而创建一组PW。然后将这组PW组织成一个序列。(例如,每个PW可与解复用器字段值相关联,然后可根据其各自解复用器的数值对PW进行排序。)

- Using auto-discovery, it obtains the list of PE routers that have one or more pools of color C.

- 使用自动发现,它获取具有一个或多个C色池的PE路由器列表。

- It signals each such PE router, specifying the sequence Q of PWs.

- 它向每个这样的PE路由器发送信号,指定PWs的序列Q。

- If PE X receives such a signal and PE X has a pool Y of the specified color, it:

- 如果PE X接收到这样的信号,并且PE X具有指定颜色的池Y,则它:

* removes an AC from the pool; and

* 从池中移除AC;和

* binds the AC to the PW that is the "Yth" PW in the sequence Q.

* 将AC绑定到序列Q中的“Yth”PW。

This presumes, of course, that the pool identifiers are or can be uniquely mapped into small ordinal numbers; assigning the pool identifiers in this way becomes a requirement of the provisioning system.

当然,这假定池标识符是或可以唯一地映射为小序号;以这种方式分配池标识符成为供应系统的一项要求。

Note that since this technique signals the same information to all the remote PEs, it can be supported via point-to-multipoint signaling.

请注意,由于该技术向所有远程PE发送相同信息的信号,因此可以通过点对多点信令来支持该技术。

This provisioning model can be applied as long as the following conditions hold:

只要满足以下条件,就可以应用此调配模型:

- There is no need to provision different characteristics for the different PWs;

- 不需要为不同的PWs提供不同的特性;

- It makes no difference which pairs of ACs are bound together by PWs, as long as both ACs in the pair come from like-colored pools; and

- 只要一对ACs中的两个ACs都来自相同颜色的池,PWs将哪对ACs绑定在一起就没有区别;和

- It is possible to construct the desired overlay topology simply by assigning colors to the pools. (This is certainly simple if a full mesh is desired, or if a hub and spoke configuration is desired; creating arbitrary topologies is less simple, and is perhaps not always possible.)

- 只需为池指定颜色,就可以构建所需的覆盖拓扑。(如果需要一个完整的网格,或者需要一个中心辐射配置,这当然很简单;创建任意拓扑就不那么简单,而且可能并不总是可能的。)

3.3.2. Requirements on Auto-Discovery Procedures
3.3.2. 自动发现程序的要求

Some of the requirements for auto-discovery procedures can be deduced from the above.

自动发现程序的一些要求可以从上面推导出来。

To support the single-sided provisioning model, auto-discovery must be able to map a globally unique identifier (of a PW or of an Attachment Circuit) to an IP address of a PE.

为了支持单边资源调配模型,自动发现必须能够将全局唯一标识符(PW或连接电路)映射到PE的IP地址。

To support the colored pools provisioning model, auto-discovery must enable a PE to determine the set of other PEs that contain pools of the same color.

要支持彩色池配置模型,自动发现必须使PE能够确定包含相同颜色池的其他PE集。

These requirements enable the auto-discovery scheme to provide the information, which the PEs need to set up the PWs.

这些要求使自动发现方案能够提供PEs设置PWs所需的信息。

There are additional requirements on the auto-discovery procedures that cannot simply be deduced from the provisioning model:

对于自动发现过程,有一些附加要求不能简单地从供应模型中推断出来:

- Particular signaling schemes may require additional information before they can proceed and hence may impose additional requirements on the auto-discovery procedures.

- 特定信令方案可能需要额外的信息才能继续,因此可能会对自动发现过程施加额外的要求。

- A given Service Provider may support several different types of signaling procedures, and thus the PEs may need to learn, via auto-discovery, which signaling procedures to use.

- 给定的服务提供商可能支持几种不同类型的信令过程,因此PEs可能需要通过自动发现来了解要使用哪些信令过程。

- Changes in the configuration of a PE should be reflected by the auto-discovery procedures, within a timely manner, and without the need to explicitly reconfigure any other PE.

- PE配置的更改应通过自动发现程序及时反映出来,无需明确重新配置任何其他PE。

- The auto-configuration procedures must work across service provider boundaries. This rules out, e.g., use of schemes that piggyback the auto-discovery information on the backbone's IGP.

- 自动配置过程必须跨服务提供商边界工作。例如,这排除了使用在主干网的IGP上搭载自动发现信息的方案。

3.3.3. Heterogeneous Pseudowires
3.3.3. 异质假丝

Under certain circumstances, it may be desirable to have a PW that binds two ACs that use different technologies (e.g., one is ATM, one is Ethernet). There are a number of different ways, depending on the AC types, in which this can be done. For example:

在某些情况下,可能希望有一个PW绑定两个使用不同技术的ACs(例如,一个是ATM,一个是以太网)。根据AC类型的不同,有许多不同的方法可以实现这一点。例如:

- If one AC is ATM and one is FR, then standard ATM/FR Network Interworking can be used. In this case, the PW might be signaled for ATM, where the Interworking function occurs between the PW and the FR AC.

- 如果一个AC是ATM,另一个是FR,则可以使用标准ATM/FR网络互通。在这种情况下,PW可能被发信号用于ATM,其中PW和FR AC之间发生互通功能。

- A common encapsulation can be used on both ACs, if for example, one AC is Ethernet and one is FR, an "Ethernet over FR" encapsulation can be used on the latter. In this case, the PW could be signaled for Ethernet, with processing of the Ethernet over FR encapsulation local to the PE with the FR AC.

- 两个AC上都可以使用公共封装,例如,如果一个AC是以太网,一个是FR,则可以在后者上使用“Ethernet over FR”封装。在这种情况下,PW可以用信号通知以太网,通过FR AC对PE本地的FR封装处理以太网。

- If it is known that the two ACs attach to IP routers or hosts and carry only IP traffic, then one could use a PW that carries the IP packets, and the respective Layer2 encapsulations would be local matters for the two PEs. However, if one of the ACs is a LAN and one is a point-to-point link, care would have to be taken to ensure that procedures such as ARP and Inverse ARP are properly handled; this might require some signaling, and some proxy functions. Further, if the CEs use a routing algorithm that has different procedures for LAN interfaces than those for point-to-point interfaces, additional mechanisms may be required to ensure proper interworking.

- 如果已知两个ACs连接到IP路由器或主机并仅承载IP流量,则可以使用承载IP数据包的PW,并且两个PE的相应第2层封装将是本地事务。但是,如果其中一个ACs是LAN,另一个是点对点链路,则必须小心确保ARP和反向ARP等程序得到正确处理;这可能需要一些信令和一些代理功能。此外,如果CEs使用的路由算法对于LAN接口的过程与对于点到点接口的过程不同,则可能需要额外的机制来确保适当的互通。

3.4. VPLS Emulated LANs
3.4. VPLS模拟局域网

A VPLS is an L2VPN service in which:

VPLS是一种L2VPN服务,其中:

- the ACs attach CE devices to PE bridge modules; and

- ACs将CE设备连接至PE桥接模块;和

- each PE bridge module is attached via an "emulated LAN interface" to an "emulated LAN".

- 每个PE网桥模块通过“模拟LAN接口”连接到“模拟LAN”。

This is shown in Figure 3.

这如图3所示。

In this section, we examine the functional decomposition of the VPLS Emulated LAN. An Emulated LAN's ACs are the "emulated LAN interfaces" attaching PE bridge modules to the "VPLS Forwarder" modules (see Figure 3). The payload on the ACs consists of ethernet frames, with or without VLAN headers.

在本节中,我们将研究VPLS仿真LAN的功能分解。模拟LAN的ACs是将PE网桥模块连接到“VPLS转发器”模块的“模拟LAN接口”(见图3)。ACs上的有效负载由以太网帧组成,有或没有VLAN头。

A given VPLS Forwarder in a given PE will have multiple ACs only if there are multiple bridge modules in that PE that attach to that Forwarder. This scenario is included in the Framework, though discussion of its utility is out of scope.

给定PE中的给定VPLS转发器只有在该PE中有多个桥接模块连接到该转发器时才会具有多个ACs。该场景包含在框架中,但对其实用性的讨论超出了范围。

The set of VPLS Forwarders within a single VPLS are connected via PWs. Two VPLS Forwarders will have a PW between them only if those two Forwarders are part of the same VPLS. (There may be a further restriction that two VPLS Forwarders have a PW between them only if those two Forwarders belong to the same VLAN in the same VPN.) A particular set of interconnected VPLS Forwarders is what constitutes a VPLS Emulated LAN.

单个VPLS中的一组VPLS转发器通过PWs连接。只有当两个VPLS转发器是同一VPLS的一部分时,两个VPLS转发器之间才会有一个PW。(可能还有进一步的限制,只有当两个VPLS转发器属于同一VPN中的同一VLAN时,两个VPLS转发器之间才有PW。)一组特定的互连VPLS转发器构成了一个VPLS模拟LAN。

On a real LAN, any frame transmitted by one entity is received by all the others. A VPLS Emulated LAN, however, behaves somewhat differently. When a VPLS Forwarder receives a unicast frame over one of its Emulated LAN interfaces, the Forwarder does not necessarily send the frame to all the other Forwarders on that Emulated LAN. A unicast frame needs to be sent to only one other Forwarder in order to be properly delivered to its destination MAC address. If the transmitting Forwarder knows which other Forwarder needs to receive a particular unicast frame, it will send the frame to just that one Forwarder. This forwarding optimization is an important part of any attempt to provide a VPLS service over a wide-area or metropolitan area network.

在真正的局域网上,一个实体发送的任何帧都会被所有其他实体接收。然而,VPLS模拟LAN的行为有些不同。当VPLS转发器通过其一个模拟LAN接口接收到单播帧时,转发器不必将该帧发送到该模拟LAN上的所有其他转发器。单播帧只需要发送到另一个转发器,才能正确地发送到其目标MAC地址。如果发送转发器知道哪个其他转发器需要接收特定的单播帧,它将只向该转发器发送该帧。这种转发优化是在广域网或城域网上提供VPLS服务的任何尝试的重要部分。

In effect, then, each Forwarder behaves as a "Virtual Switch Instance" (VSI), maintaining a forwarding table that maps MAC addresses to PWs. The VSI is populated in much the same way that a standard bridge populates its forwarding table. The VPLS Forwarders do MAC Source Address (SA) learning on frames received on PWs from

实际上,每个转发器都充当一个“虚拟交换机实例”(VSI),维护一个将MAC地址映射到PWs的转发表。VSI的填充方式与标准网桥填充其转发表的方式大致相同。VPLS转发器对PWs从接收到的帧进行MAC源地址(SA)学习

other Forwarders and must also do the related set of procedures, such as aging out address entries. Frames with unknown DAs or multicast DAs must be "broadcast" by one Forwarder to all the others (on the same emulated LAN). There are, however, a few important differences between the VPLS Forwarder VSI and the standard bridge forwarding function:

其他货运代理也必须执行相关的一套程序,例如老化地址条目。具有未知DAs或多播DAs的帧必须由一个转发器“广播”到所有其他转发器(在同一模拟LAN上)。然而,VPLS转发器VSI和标准网桥转发功能之间存在一些重要区别:

- A VPLS Forwarder never learns the MAC SAs of frames that it receives on its ACs; it only learns the MAC SAs of frames that are received on PWs from other VPLS Forwarders; and

- VPLS转发器从不了解它在其ACs上接收的帧的MAC SA;它只学习在PWs上从其他VPLS转发器接收的帧的MAC SA;和

- The VPLS Forwarders of a particular emulated LAN do not participate in a spanning tree protocol with each other. A "split horizon" technique is used to prevent forwarding loops.

- 特定模拟LAN的VPLS转发器彼此不参与生成树协议。“分割地平线”技术用于防止转发循环。

These points are discussed further in the next section.

下一节将进一步讨论这些要点。

Note that the PE bridge modules that are on a given Emulated LAN may or may not run a spanning tree protocol with each other over the Emulated LAN; whether they do so or not is outside the scope of the VPLS specifications. The PE bridge modules will do MAC address learning on the ACs. The PE bridge modules also do MAC address learning on the Emulated LAN interfaces, but do not do MAC address learning on the PWs, as the PWs are "hidden" behind the Emulated LAN interface. Conceptually, the PE bridge module's forwarding table and the VPLS Forwarder's VSI are distinct entities. (Of course, particular implementations might combine these into a single table, but that is beyond the scope of this document.)

注意,在给定仿真LAN上的PE网桥模块可以或不可以在仿真LAN上彼此运行生成树协议;他们是否这样做超出了VPLS规范的范围。PE网桥模块将在ACs上进行MAC地址学习。PE网桥模块也在模拟LAN接口上进行MAC地址学习,但不在PWs上进行MAC地址学习,因为PWs“隐藏”在模拟LAN接口后面。从概念上讲,PE网桥模块的转发表和VPLS转发器的VSI是不同的实体。(当然,特定的实现可能会将它们合并到一个表中,但这超出了本文的范围。)

A further issue arises if the PE bridges run bridge control protocols with each other over the Emulated LAN. Bridge control protocols are generally designed to run in over a real LAN and may presume, for their proper functioning, certain characteristics of the LAN, such as low latency and sequential delivery. If the Emulated LAN does not provide these characteristics, the control protocols may not perform as expected unless special mechanisms are provided for carrying the control frames.

如果PE网桥在模拟LAN上彼此运行网桥控制协议,则会出现另一个问题。网桥控制协议通常被设计为在真实的局域网上运行,并且为了它们的正常运行,可以假定局域网的某些特性,例如低延迟和顺序传送。如果模拟LAN不提供这些特性,则除非提供用于承载控制帧的特殊机制,否则控制协议可能无法按预期执行。

It should be noted that changes in the spanning tree (if any) of a customer network, or in the spanning tree (if any) of the PE bridges, may cause certain MAC addresses to change their location from one PE to another. These changes may not be visible to the VPLS Forwarders, which means that those MAC addresses might become unreachable until they are aged out of the first PE's VSI. If this is not acceptable, some mechanism for communicating such changes to the VPLS Forwarders must be provided.

应当注意,客户网络的生成树(如果有)或PE网桥的生成树(如果有)中的变化可能导致某些MAC地址从一个PE改变到另一个PE。VPLS转发器可能看不到这些更改,这意味着这些MAC地址可能在第一个PE的VSI过期之前无法访问。如果这是不可接受的,则必须提供一些机制,用于将此类更改传达给VPLS转发器。

3.4.1. VPLS Overlay Topologies and Forwarding
3.4.1. VPLS覆盖拓扑和转发

Within a single VPLS, the VPLS Forwarders are interconnected by PWs. The set of PWs thus forms an "overlay topology".

在单个VPLS中,VPLS转发器通过PWs互连。因此,PWs集形成了一个“覆盖拓扑”。

The VPLS Forwarder VSIs are populated by means of MAC address learning. That is, the VSI keeps track of which MAC SAs have been received over which PWs. The presumption, of course, is that if a particular MAC address appears as the SA of a frame received over a particular PW, then frames that carry that MAC address in the DA field should be sent to the VSI that is at the remote end of the PW. In order for this presumption to be true, there must be a unique VSI at the remote end of the PW, which means that VSIs cannot be interconnected by means of multipoint-to-point PWs. The PWs are necessarily either point-to-point or, possibly, point-to-multipoint.

VPLS转发器VSI通过MAC地址学习来填充。也就是说,VSI跟踪通过哪些PW接收到哪些MAC SA。当然,假设是,如果特定MAC地址显示为通过特定PW接收的帧的SA,则在DA字段中携带该MAC地址的帧应发送到PW远端的VSI。为了使这一假设成立,必须在PW的远端有一个唯一的VSI,这意味着VSI不能通过多点对点PWs互连。PWs必须是点对点或点对多点。

MAC learning over a point-to-point PW is done via the standard techniques as specified by IEEE, where the PW is treated by the VPLS Forwarder as a "bridge port". Of course, if a MAC address is learned from a point-to-multipoint PW, the VSI must indicate that packets to that address are to be sent over a point-to-point PW that leads to the root of that point-to-multipoint PW.

点到点PW上的MAC学习通过IEEE规定的标准技术完成,其中,VPLS转发器将PW视为“桥接端口”。当然,如果从点对多点PW学习MAC地址,那么VSI必须指示发送到该地址的包将通过点对点PW发送,该点对多点PW的根。

The VSI forwarding decisions must be coordinated so that loop-free forwarding over the overlay topology is ensured.

必须协调VSI转发决策,以确保覆盖拓扑上的无环转发。

There are several possible types of overlay topologies:

有几种可能的叠加拓扑类型:

- Full mesh

- 全网

In a full mesh, every VSI in a given VPLS has exactly one point-to-point PW to every other VSI in that same VPLS.

在完整网格中,给定VPLS中的每个VSI与同一VPLS中的每个其他VSI之间正好有一个点到点PW。

In this topology, loop free forwarding of frames is ensured by the following rule: if a VSI receives a frame, over a PW, from another VSI, it MUST NOT forward that frame over ANY other PW to any other VSI. This ensures that once a frame traverses the Emulated LAN, it must be sent off the Emulated LAN.

在此拓扑中,帧的无循环转发由以下规则确保:如果VSI通过PW从另一个VSI接收到帧,则它不得通过任何其他PW将该帧转发到任何其他VSI。这确保了帧一旦通过模拟LAN,就必须从模拟LAN发送出去。

If a VSI receives, on one of its Emulated LAN interfaces, a unicast frame with a known DA, the frame is sent on exactly one point-to-point PW.

如果VSI在其一个模拟LAN接口上接收到一个具有已知DA的单播帧,则该帧正好在一个点对点PW上发送。

If a VSI receives, on one of its Emulated LAN interfaces, a multicast frame or a unicast frame with an unknown DA, it sends a copy of the frame to each other VSI in the same Emulated LAN. This can be done by replicating the frame and sending a copy over each point-to-point PW. Alternatively, the full mesh of

如果VSI在其一个模拟LAN接口上接收到具有未知DA的多播帧或单播帧,则它会在同一模拟LAN中向彼此VSI发送该帧的副本。这可以通过复制帧并在每个点对点PW上发送副本来实现。或者,也可以使用

point-to-point PWs may be augmented with point-to-multipoint PWs, where each VSI in a VPLS is the transmitter on a single point-to-multipoint PW, and the receivers on that PW are all the other VSIs in that VPLS.

点对点PWs可通过点对多点PWs进行扩充,其中VPLS中的每个VSI是单点对多点PW上的发射机,而该PW上的接收机是该VPLS中的所有其他VSI。

- Tree structured

- 树形结构

In a tree structured topology, every VSI in a particular VPLS is provisioned to be at a particular level in the tree. A given VSI has at most one pseudowire leading to a higher level. The root of the tree is considered the highest level.

在树结构拓扑中,特定VPLS中的每个VSI都被设置为树中的特定级别。给定的VSI最多有一条通向更高级别的伪线。树的根被视为最高级别。

In this topology, loop free forwarding of frames is ensured by the following rule: if a frame is received over a pseudowire from a higher level, it may not be sent over a pseudowire that leads to a higher level.

在此拓扑中,帧的无循环转发由以下规则确保:如果通过伪线从更高级别接收到帧,则它可能不会通过导致更高级别的伪线发送。

- Tree with Meshed Highest Level

- 最高层次有网格的树

In this variant of the tree-structured topology, there may be more than one VSI at the highest level, but the set of VSIs that are at the highest level must be fully meshed. To ensure loop free forwarding, we need to impose the rule that a frame can be sent on a pseudowire to the same or higher level only if it arrived over a pseudowire from a lower level, and that frames arriving over PWs from the same level cannot be sent on PWs to the same level.

在树结构拓扑的这种变体中,最高级别可能有多个VSI,但最高级别的VSI集必须完全网格化。为了确保无循环转发,我们需要强制执行以下规则:只有当帧从较低级别通过伪线到达时,才可以通过伪线将其发送到相同或更高级别,并且从相同级别通过PWs到达的帧不能通过PWs发送到相同级别。

Other overlay topologies are also possible; e.g., an arbitrary partial mesh of PWs among the VSIs of a VPLS. Loop-freedom could then be assured by, for example, running a spanning tree on the overlay. These topologies are not further considered in this framework.

其他叠加拓扑也是可能的;e、 例如,VPLS的VSI中PWs的任意部分网格。然后,可以通过在覆盖上运行生成树来确保循环自由。在本框架中不进一步考虑这些拓扑。

Note that loop freedom in the overlay topology does not necessarily ensure loop freedom in the overall customer LAN that contains the VPLS. It does not even ensure loop freedom among the PE bridge modules. It ensures only that when a frame is sent on the Emulated LAN, the frame will not loop endlessly before (or instead of) leaving the Emulated LAN.

请注意,覆盖拓扑中的环路自由度不一定确保包含VPL的整个客户LAN中的环路自由度。它甚至不能确保PE桥接模块之间的环路自由度。它仅确保在模拟LAN上发送帧时,帧在离开(或代替)模拟LAN之前不会无休止地循环。

Improper configuration of the customer LAN or PE bridge modules may cause frames to loop, and frames that fall into such loops may transit the overlay topology multiple times. Procedures that enable the PE to detect and/or prevent such loops may be advisable.

客户LAN或PE网桥模块配置不当可能会导致帧循环,落入此类循环的帧可能会多次通过覆盖拓扑。使PE能够检测和/或防止此类回路的程序可能是可取的。

3.4.2. Provisioning and Auto-Discovery
3.4.2. 资源调配和自动发现

Each VPLS must be assigned a globally unique identifier. This can be thought of as a VPN-id.

必须为每个VPL分配一个全局唯一标识符。这可以看作是一个VPN-id。

The ACs attaching the CEs to the PEs must be provisioned on both the PEs and the CEs. A VSI for that VPLS must be provisioned on the PE, and the local ACs of that VPLS must be associated with that VSI. The VSI must be provisioned with the identifier of the VPLS to which it belongs.

必须在PEs和CEs上设置将CEs连接到PEs的ACs。必须在PE上设置该VPL的VSI,并且该VPL的本地ACs必须与该VSI关联。必须为VSI提供其所属VPL的标识符。

An auto-discovery scheme may be used by a PE to map a VPLS identifier into the set of remote PEs that have VSIs in that VPLS. Once this set is determined, the PE can use pseudowire signaling to set up a PW to each of those VSIs. The VPLS identifier would serve as the signaling protocol's Forwarder Selector. This would result in a full mesh of PWs among the VSIs in a particular VPLS.

PE可以使用自动发现方案将VPLS标识符映射到在该VPLS中具有VSI的远程PE集合中。一旦确定了该集合,PE就可以使用伪线信令来为这些VSI中的每一个建立PW。VPLS标识符将用作信令协议的转发器选择器。这将导致特定VPL中VSI之间的PW完全啮合。

If a single VPLS contains multiple VLANs, then it may be desirable to limit connectivity so that two VSIs are connected only if they have a VLAN in common.

如果一个VPL包含多个VLAN,则可能需要限制连接,以便仅当两个VSI具有共同的VLAN时,才连接它们。

In this case, each VSI would need to be provisioned with one or more VLAN ids, and the auto-discovery scheme would need to map a VPLS identifier into pairs of <PE, VLAN id>.

在这种情况下,每个VSI需要配置一个或多个VLAN id,自动发现方案需要将VPLS标识符映射到<PE,VLAN id>对中。

If a fully meshed topology of VSIs is not desired, then each VSI needs to be provisioned with additional information specifying its placement in the topology. This information would also need to be provided by the auto-discovery scheme.

如果不需要VSI的完全网格化拓扑,则需要为每个VSI提供指定其在拓扑中的位置的附加信息。自动发现计划还需要提供这些信息。

Alternatively, the single-sided provisioning method discussed in Section 3.3.1.2 could be used. As this is more complicated, it would only be used if it were necessary to associate individual PWs with individual characteristics. For example, if different guaranteed bandwidths were needed between different pairs of sites within a VPLS, the PWs would have to be provisioned individually.

或者,可以使用第3.3.1.2节中讨论的单边供应方法。由于这更为复杂,因此只有在需要将单个PW与单个特征相关联时才会使用。例如,如果VPLS内的不同站点对之间需要不同的保证带宽,则必须单独供应PWs。

3.4.3. Distributed PE
3.4.3. 分布式PE

Often, when a VPLS type of service is provided, the CE devices attach to a provider-managed CPE device. This provider-managed CPE device may attach to CEs of multiple customers, especially if, for example, there are multiple customers occupying the same building. However, this device is really part of the SP's network, hence may be considered a PE device.

通常,当提供VPLS类型的服务时,CE设备连接到提供商管理的CPE设备。该提供商管理的CPE设备可连接到多个客户的ce,尤其是在例如多个客户占用同一建筑物的情况下。但是,此设备实际上是SP网络的一部分,因此可能被视为PE设备。

In some scenarios in which a VPLS type of service is provided, the CE devices attach to a provider-managed intermediary device. This provider-managed device may attach to CEs of multiple customers. This may arise if there are multiple customers occupying the same building. This device is really part of the SP's network and may for that reason be considered to be a PE device; however, in the simplest case, it is performing only aggregation and none of the function associated with a VPLS.

在提供VPLS类型服务的某些场景中,CE设备连接到提供商管理的中间设备。此提供商管理的设备可以连接到多个客户的CE。如果有多个客户占用同一栋建筑,则可能会出现这种情况。该设备实际上是SP网络的一部分,因此可能被视为PE设备;但是,在最简单的情况下,它只执行聚合,而不执行与VPLS关联的任何功能。

Relative to the VPLS there are three different possibilities for allocate functions to a device in such a position in the provider network:

相对于VPLS,有三种不同的可能性可将功能分配给提供商网络中处于该位置的设备:

- it can perform aggregation and pure Layer2 service only, in which case it does not really play the role of a PE device in a VPLS service. In this case the intermediary system must connect to devices that perform VPLS PE functionality; the intermediary device itself is not part of the VPLS architecture and has hence not been named in this architecture.

- 它只能执行聚合和纯Layer2服务,在这种情况下,它实际上不能在VPLS服务中扮演PE设备的角色。在这种情况下,中间系统必须连接到执行VPLS PE功能的设备;中间设备本身不是VPLS体系结构的一部分,因此未在该体系结构中命名。

- it can perform all the PE functions relevant for a VPLS. In such a case, the device is called VPLS-PE, see [RFC4026]. This type of device will be connected to the core (P) routers.

- 它可以执行与VPLS相关的所有PE功能。在这种情况下,该设备称为VPLS-PE,请参阅[RFC4026]。这种类型的设备将连接到核心(P)路由器。

The PE functionality for a VPLS may be distributed between two devices, one "low-end" closer to the customer that performs, for example, the MAC-address learning and forwarding decisions, and one "high-end" that performs the control functions; e.g., establishing tunnels, PWs, and VCs. We call the low-end device the User-Facing PE (U-PE) and the high-end device the Network-Facing PE (N-PE).

VPLS的PE功能可以分布在两个设备之间,一个“低端”设备更靠近执行例如MAC地址学习和转发决策的客户,另一个“高端”设备执行控制功能;e、 例如,建立隧道、PWs和VCs。我们将低端设备称为面向用户的PE(U-PE),将高端设备称为面向网络的PE(N-PE)。

It is conceivable that the U-PE may be placed very close to the customer; e.g., in a building with more than one customer. The N-PE will presumably be placed on the SP's premises.

可以想象,U-PE可能放置在离客户非常近的位置;e、 例如,在一个有多个客户的建筑物内。N-PE可能放置在SP的场所。

The distributed case is potentially of interest for a number of possible reasons:

由于一些可能的原因,分布式案例可能会引起关注:

- The N-PE may be a device that cannot easily implement the VSI functionality described above. For example, perhaps the N-PE is a router that cannot perform the high speed MAC learning that is needed in order to implement a VSI forwarder. At the same time, the U-PE may need to be a low-cost device that also cannot implement the full set of VPLS functions.

- N-PE可以是不能容易地实现上述VSI功能的设备。例如,可能N-PE是一个路由器,它不能执行实现VSI转发器所需的高速MAC学习。同时,U-PE可能需要是一种低成本设备,也不能实现全套VPLS功能。

This leads one to investigate further if there are sensible ways to split the VPLS PE functionality between the U-PE and the N-PE.

这导致人们进一步研究是否有合理的方法在U-PE和N-PE之间分割VPLS PE功能。

- Generally, in the L2VPN architecture, the PEs are expected to participate as peers in the backbone routing protocol. Since the number of U-PEs is potentially very large relative to the number of N-PEs, this may be undesirable as a matter of scaling the backbone routing protocol.

- 通常,在L2VPN体系结构中,PEs应作为对等方参与主干路由协议。由于U-PEs的数量相对于N-PEs的数量可能非常大,因此在扩展主干路由协议时,这可能是不可取的。

- The U-PE may be a relatively inexpensive device that is unable to participate in the full range of signaling and/or auto-discovery procedures that are needed in order to provide the VPLS service.

- U-PE可以是相对便宜的设备,不能参与提供VPLS服务所需的全部信令和/或自动发现过程。

The VPLS functionality can be distributed between U-PE and N-PE in a number of different ways, and a number of different proposals have been made. They all presume that the U-PE will maintain a VSI forwarder, connected by PWs to the remote VSIs; the N-PE thus does not need to perform the VSI forwarding function. The proposals tend to differ with respect to the following questions:

VPLS功能可以以多种不同的方式在U-PE和N-PE之间分配,并提出了多种不同的建议。他们都假设U-PE将维护一个VSI转发器,通过PWs连接到远程VSI;因此,N-PE不需要执行VSI转发功能。提案在以下问题上往往有所不同:

- Should the U-PEs perform full PW signaling to set up the PWs to remote VSIs, or should the N-PEs do this signaling?

- U-PEs应该执行完整的PW信令来设置PWs到远程VSI,还是N-PEs应该执行此信令?

Since the U-PEs need to be able to send packets on PWs to remote VSIs and receive packets on PWs from remote VSIs, if the PW signaling is done by the N-PE, there would have to be some form of "lightweight" (presumably) signaling between N-PE and U-PE that allows the PWs to be extended from N-PE to U-PE.

由于U-PE需要能够将PWs上的数据包发送到远程VSI并从远程VSI接收PWs上的数据包,因此如果PW信令由N-PE完成,则N-PE和U-PE之间必须存在某种形式的“轻量级”(假定)信令,以允许PWs从N-PE扩展到U-PE。

- Should the U-PEs do their own auto-discovery, or should this be done by the N-PEs?

- U-PEs应该自己进行自动发现,还是由N-PEs进行自动发现?

In the latter case, the U-PEs may need to have some means of telling the N-PEs which VPLSes they are interested in, and the N-PEs must have some means of passing the results of the auto-discovery process to the U-PE.

在后一种情况下,U-PE可能需要有一些方法告诉N-PE他们感兴趣的VPLSE,并且N-PE必须有一些方法将自动发现过程的结果传递给U-PE。

Whether it makes sense to split auto-discovery in this manner may depend on the particular auto-discovery protocol used. One would not expect the U-PEs to participate in, if for example, a BGP-based auto-discovery scheme, but perhaps they would be expected to participate in a RADIUS-based auto-discovery scheme.

以这种方式拆分自动发现是否有意义可能取决于所使用的特定自动发现协议。例如,如果基于BGP的自动发现方案,人们不会期望U-PEs参与,但他们可能会参与基于RADIUS的自动发现方案。

- If a U-PE does not participate in routing but is redundantly connected to two different N-PEs, can the U-PE still make an intelligent choice of the best N-PE to use as the "next hop" for

- 如果U-PE不参与路由,但冗余连接到两个不同的N-PE,U-PE是否仍然可以智能地选择最佳N-PE作为路由的“下一跳”

traffic destined to a particular remote VSI? If not, can this choice be made as the result of some other sort of interaction between N-PE and U-PE, or does this choice need to be established by provisioning?

发送到特定远程VSI的流量?如果不是,这个选择是否可以作为N-PE和U-PE之间某种其他类型交互的结果,或者需要通过供应来确定这个选择?

- If a U-PE does not participate in routing but does participate in full PW signaling, and if MPLS is being used, how can an N-PE send a U-PE the labels that the U-PE needs in order to be able to send traffic to its signaling peers? (If the U-PE did participate in routing, this would happen automatically.)

- 如果U-PE不参与路由,但参与完整PW信令,并且如果使用MPLS,则N-PE如何向U-PE发送U-PE所需的标签,以便能够向其信令对等方发送流量?(如果U-PE确实参与了路由,这将自动发生。)

- When a frame must be multicast, should the replication be done by the N-PE or the U-PE?

- 当帧必须是多播时,复制应该由N-PE还是U-PE完成?

These questions are not all independent; the way one answers some of them may influence the way one answers others.

这些问题并非都是独立的;回答其中一些问题的方式可能会影响回答其他问题的方式。

3.4.4. Scaling Issues in VPLS Deployment
3.4.4. VPLS部署中的扩展问题

In general, the PSN supports a VPLS solution with a tunnel from each VPLS-PE to every other VPLS-PE participating in the same VPLS instance. Strictly, VPLS-PEs with more than one VPLS instance in common only need one tunnel, but for resource allocation reasons it might be necessary to establish several tunnels. For each VPLS service on a given VPLS-PE, it needs to establish one pseudowire to every other VPLS-PE participating in that VPLS service. In total n*(n-1) pseudowires must be setup between the VPLS-PE routers. In large scale deployment this obviously creates scaling problems. One way to address the scaling problems is to use hierarchy.

通常,PSN支持VPLS解决方案,该解决方案具有从每个VPLS-PE到参与同一VPLS实例的每个其他VPLS-PE的隧道。严格来说,具有多个VPLS实例的VPLS PE只需要一个隧道,但出于资源分配原因,可能需要建立多个隧道。对于给定VPLS-PE上的每个VPLS服务,它需要与参与该VPLS服务的每个其他VPLS-PE建立一条伪线。VPLS-PE路由器之间总共必须设置n*(n-1)条伪线。在大规模部署中,这显然会造成扩展问题。解决缩放问题的一种方法是使用层次结构。

3.5. IP-Only LAN-Like Service (IPLS)
3.5. 仅限IP的类似LAN的服务(IPLS)

If, instead of providing a general VPLS service, one wishes to provide a VPLS that is used only to connect IP routers or hosts (i.e., the CE devices are all assumed to be IP routers or hosts), then it is possible to make certain simplifications.

如果希望提供仅用于连接IP路由器或主机(即,CE设备均假定为IP路由器或主机)的VPLS,而不是提供一般VPLS服务,则可以进行某些简化。

In this environment, all Ethernet frames sent from a particular CE to a particular PE on a particular Attachment Circuit will have the same MAC Source Address. Thus, rather than use address learning in the data plane to learn the MAC addresses, the PE can use the control plane to learn the MAC address. This allows the PE to be implemented on devices that are not capable of doing MAC address learning in the data plane.

在此环境中,从特定CE发送到特定连接电路上的特定PE的所有以太网帧将具有相同的MAC源地址。因此,PE可以使用控制平面来学习MAC地址,而不是使用数据平面中的地址学习来学习MAC地址。这允许PE在不能在数据平面中进行MAC地址学习的设备上实现。

To eliminate the need for MAC address learning on the PWs as well as on the ACs, the pseudowire signaling protocol would have to carry the MAC address from one pseudowire endpoint to the other. In the case

为了消除PWs和ACs上MAC地址学习的需要,伪线信令协议必须将MAC地址从一个伪线端点传送到另一个伪线端点。在这种情况下

of IPv4, Each PE would perform proxy ARP to its directly attached CEs. In the case of IPv6, each PE would send proxy Neighbor and/or Router Advertisements.

对于IPv4,每个PE将对其直接连接的CE执行代理ARP。在IPv6的情况下,每个PE将发送代理邻居和/或路由器广告。

Eliminating the need to do MAC address learning on the PWs eliminates the need for the PWs to be point-to-point. Multipoint-to-point PWs could be used instead.

无需在PWs上进行MAC地址学习,PWs无需点对点。可以改用多点对点PWs。

Unlike a VPLS, all the ACs in an IPLS would not necessarily have to carry Ethernet frames; only the IP packets would need to be passed across the network, not their Layer 2 wrappers. However, if there are protocols that are specific to the Layer 2, but that provide, for example, address resolution services for Layer 3, it may then be necessary to "translate" (or otherwise interwork) one of these Layer 2 protocols to the other. For example, if an IPLS instance has an ethernet AC and a Frame Relay AC, and IPv4 is running on both, interworking between ARP and Inverse ARP might be required.

与VPLS不同,IPLS中的所有ACs不一定必须携带以太网帧;只有IP数据包需要通过网络传递,而不是它们的第2层包装。然而,如果存在特定于第2层但为第3层提供例如地址解析服务的协议,则可能需要将这些第2层协议中的一个协议“转换”(或以其他方式互通)到另一个协议。例如,如果一个IPLS实例有一个以太网AC和一个帧中继AC,并且IPv4在两者上运行,则可能需要ARP和反向ARP之间的互通。

The set of routing protocols that could be carried across the IPLS might also be restricted.

可以跨IPL传输的路由协议集也可能受到限制。

An IPLS instance must have a particular IPLS-wide MTU; if there are different kinds of AC in an IPLS instance, and those different kinds of AC support different MTUs, all ACS must enforce the IPLS-wide MTU; an AC that cannot do this must not be allowed to join the IPLS instance.

IPLS实例必须具有特定的IPLS范围的MTU;如果在一个IPLS实例中有不同种类的AC,并且这些不同种类的AC支持不同的MTU,那么所有AC都必须强制执行IPLS范围的MTU;不允许不能这样做的AC加入IPLS实例。

4. Security Considerations
4. 安全考虑

The security considerations section of the L2VPN requirements document [RFC4665] addresses a number of areas that are potentially insecure aspects of the L2VPN. These relate to both control plane and data plane security issues that may arise in the following areas:

L2VPN需求文件[RFC4665]中的安全注意事项一节阐述了L2VPN的一些潜在不安全方面。这些问题涉及以下领域可能出现的控制平面和数据平面安全问题:

- issues fully contained in the provider network

- 提供商网络中完全包含的问题

- issues fully contained in the customer network

- 完全包含在客户网络中的问题

- issues in the customer-provider interface network

- 客户-提供商接口网络中的问题

These three areas are addressed below.

下面介绍这三个领域。

4.1. Provider Network Security Issues
4.1. 提供商网络安全问题

This section discusses security issues that only impact the SP's equipment.

本节讨论仅影响SP设备的安全问题。

There are security issues having to do with the control connections that are used on a PE-PE basis for setting up and maintaining the pseudowires.

存在与PE-PE基础上用于设置和维护伪线的控制连接有关的安全问题。

A PE should not engage with another PE in a control connection unless it has some confidence that the peer is really a PE to which it should be setting up PWs. Otherwise, L2PVN traffic may go to the wrong place. If control packets are maliciously and undetectably altered while in flight, denial of service, or alteration of the expected quality of service, may result.

一个PE不应该在控制连接中与另一个PE接触,除非它有信心该对等方确实是一个它应该设置PWs的PE。否则,L2PVN流量可能会进入错误的位置。如果控制数据包在飞行过程中被恶意且不可检测地更改,则可能导致拒绝服务或预期服务质量的更改。

If peers discover each other dynamically (via some auto-discovery procedure), this presupposes that the auto-discovery procedures are themselves adequately trusted.

如果对等点动态地(通过一些自动发现过程)发现彼此,这就假定自动发现过程本身是充分可信的。

PEs should not accept control connections from arbitrary entities; a PE either should be configured with its peers or should learn them from a trusted auto-configuration procedure. If the peer is required to be within the same SP's network, then access control filters at the borders of that network can be used to prevent spoofing of the peer's source address. If the peer is from another SP's network, then setting up such filters may be difficult or even impossible, depending on the way in which the two SPs are connected. Even if the access filters can be set up, the level of assurance that they provide will be lower.

PEs不应接受来自任意实体的控制连接;PE应该与其对等方一起配置,或者应该从可信的自动配置过程中学习它们。如果要求对等方位于同一SP的网络中,则可以使用该网络边界处的访问控制筛选器来防止对对等方的源地址进行欺骗。如果对等方来自另一个SP的网络,则根据两个SP的连接方式,设置此类筛选器可能很困难,甚至不可能。即使可以设置访问过滤器,它们提供的保证级别也会更低。

Thus, for inter-SP control connections, it is advisable to use some sort of cryptographic authentication procedure. Control protocols which used TCP may use the TCP MD5 option to provide a measure of PE-PE authentication; this requires at least one shared secret between SPs. The use of IPsec between PEs is also possible and provides a greater degree of assurance, though at a greater cost.

因此,对于SP间控制连接,建议使用某种加密身份验证过程。使用TCP的控制协议可以使用TCP MD5选项来提供PE-PE认证的度量;这要求SP之间至少有一个共享机密。在PEs之间使用IPsec也是可能的,并且提供了更大程度的保证,尽管成本更高。

Any other security considerations that apply to the control protocol in general will also apply when the control protocol is used for setting up PWs. If the control protocol uses UDP messages, it may be advisable to have some protection against spoofed UDP messages that appear to be from a valid peer; this requires further study.

当控制协议用于设置PWs时,通常适用于控制协议的任何其他安全注意事项也将适用。如果控制协议使用UDP消息,建议对来自有效对等方的伪造UDP消息进行保护;这需要进一步研究。

To limit the effect of Denial of Service attacks on a PE, some means of limiting the rate of processing of control plane traffic may be desirable.

为了限制拒绝服务攻击对PE的影响,可能需要一些限制控制平面流量处理速率的方法。

Unlike authentication and integrity, privacy of the signaling messages is not usually considered very important. If it is needed, the signaling messages can be sent through an IPsec connection.

和身份验证和完整性不同,信令消息的隐私通常不被认为是非常重要的。如果需要,可以通过IPsec连接发送信令消息。

If the PE cannot efficiently handle high volumes of multicast traffic for sustained periods, then it may be possible to launch a denial of service attack on a VPLS service by sending a PE a large number of frames that have either a multicast address or an unknown MAC address in their MAC Destination Address fields. A similar denial of service attack can be mounted by sending a PE a large number of frames with bogus MAC Source Address fields. The bogus addresses can fill the MAC address tables in the PEs, with the result that frames destined to the real MAC addresses always get flooded (i.e., multicast). Note that this flooding can remove the (weak) confidentiality property of this or any other bridged network.

如果PE无法持续有效地处理大量多播流量,则可能通过向PE发送大量在其MAC目的地地址字段中具有多播地址或未知MAC地址的帧来对VPLS服务发起拒绝服务攻击。通过向PE发送大量带有虚假MAC源地址字段的帧,可以发起类似的拒绝服务攻击。伪地址可以填充PEs中的MAC地址表,结果是发送到真实MAC地址的帧总是被淹没(即多播)。请注意,此洪泛可以删除此或任何其他桥接网络的(弱)机密性属性。

4.2. Provider-Customer Network Security Issues
4.2. 提供商客户网络安全问题

There are a number of security issues related to the access network between the provider and the customer. This is also traditionally a network that is hard to protect physically.

提供商和客户之间存在许多与接入网络相关的安全问题。传统上,这也是一个很难进行物理保护的网络。

Typical security issues on the provider-customer interface include the following:

提供商-客户界面上的典型安全问题包括:

- Ensuring that the correct customer interface is configured

- 确保配置了正确的客户界面

- Preventing unauthorized access to the PE

- 防止未经授权访问PE

- Preventing unauthorized access to a specific PE port

- 防止未经授权访问特定PE端口

- Ensuring correct service delimiting fields (VLAN, DLCI, etc.)

- 确保正确的服务定界字段(VLAN、DLCI等)

As the access network for an L2VPN service is necessarily a Layer 2 network, it is preferable to use authentication mechanisms that do not presuppose any IP capabilities on the CE device.

由于L2VPN服务的接入网络必须是第2层网络,因此优选使用不预先假定CE设备上的任何IP能力的认证机制。

There are existing Layer 2 protocols and best current practices to guard against these security issues. For example, IEEE 802.1x defines authentication at the link level for access through an ethernet bridge; the Frame Relay Forum defines LMI extensions for authentication (FRF.17).

现有的第2层协议和当前最佳实践可以防止这些安全问题。例如,IEEE 802.1x在链路级别定义了通过以太网桥访问的身份验证;帧中继论坛定义了用于身份验证的LMI扩展(FRF.17)。

4.3. Customer Network Security Issues
4.3. 客户网络安全问题

Even if all CE devices are properly authorized to attach to their PE devices, misconfiguration of the PE may interconnect CEs that are not supposed to be in the same L2VPN.

即使所有CE设备都被正确授权连接到它们的PE设备,PE的错误配置也可能会互连不应该在同一L2VPN中的CE。

In a VPWS, the CEs may run IPsec to authenticate each other. Other Layer 3 or Layer 4 protocols may have their own authentication methods.

在VPWS中,CEs可以运行IPsec以相互验证。其他第3层或第4层协议可能有自己的身份验证方法。

In a VPLS, CE-to-CE IPsec is even more problematic, as IPsec does not well support the multipoint configuration that is provided by the VPLS service.

在VPLS中,CE到CE IPsec的问题更大,因为IPsec不支持VPLS服务提供的多点配置。

There may be alternative methods for achieving a degree of CE-to-CE authentication, if the L2VPN signaling protocol can carry opaque objects between the CEs, either inband (over the L2VPN) or out-of-band, through the participation of the signaling protocol. This is for further study.

如果L2VPN信令协议可以通过信令协议的参与在CEs之间(带内(通过L2VPN)或带外)携带不透明对象,则可以存在用于实现一定程度的CE到CE认证的替代方法。这是为了进一步研究。

The L2VPN procedures do not provide authentication, integrity, or privacy for the customer's traffic; if this is needed, it becomes the responsibility of the customer. For customers who really need these features or who do not trust their service providers to provide the level of security that they need, the L2VPN framework discussed in this document may not be satisfactory. Such customers may consider alternative L2VPN schemes that are based not on an overlay of PWs, but on an overlay of IPsec tunnels whose endpoints are at the customer sites; however, such alternatives are not discussed in this document.

L2VPN程序不为客户的流量提供身份验证、完整性或隐私;如果需要,这将成为客户的责任。对于真正需要这些功能或不信任其服务提供商提供所需安全级别的客户,本文档中讨论的L2VPN框架可能无法令人满意。这样的客户可以考虑不基于PWS覆盖的替代L2VPN方案,而是在其端点位于客户站点的IPSec隧道的覆盖上;但是,本文件未讨论此类替代方案。

If there is CE-to-CE control traffic (e.g., BPDUs) on whose integrity the customer's own Layer 2 network depends, it may be advisable to send the control traffic using some more secure mechanism than is used for the data traffic.

如果存在客户自己的第2层网络依赖于其完整性的CE-to-CE控制流量(例如bpdu),则建议使用比用于数据流量更安全的机制发送控制流量。

In general, any means of mounting a denial of service attack on bridged networks generally can also be used to mount a denial of service attack on the VPLS service for a particular customer. We have discussed here only those attacks that rely on features of the VPLS service that are not shared by bridged networks in general.

通常,在桥接网络上发起拒绝服务攻击的任何手段通常也可用于针对特定客户在VPLS服务上发起拒绝服务攻击。我们在这里只讨论了那些依赖于VPLS服务特性的攻击,这些特性通常不被桥接网络共享。

5. Acknowledgements
5. 致谢

This document is the outcome of discussions within a Layer 2 VPN design team, all of whose members could be considered co-authors. Specifically, the co-authors are Loa Andersson, Waldemar Augustyn, Marty Borden, Hamid Ould-Brahim, Juha Heinanen, Kireeti Kompella, Vach Kompella, Marc Lasserre, Pascal Menezes, Vasile Radoaca, Eric Rosen, and Tissa Senevirathne.

本文档是第2层VPN设计团队内部讨论的结果,该团队的所有成员都可以被视为共同作者。具体而言,合著者为洛亚·安德森、瓦尔德马尔·奥古斯丁、马蒂·波登、哈米德·乌尔德·布拉希姆、朱哈·海纳宁、基里蒂·科佩拉、瓦赫·科佩拉、马克·拉塞尔、帕斯卡·梅内泽斯、瓦西里·拉多卡、埃里克·罗森和蒂萨·塞内维拉斯。

The authors would like to thank Marco Carugi for cooperation in setting up context, working directions, and taking time for discussions in this space; Tove Madsen and Pekka Savola for valuable input and reviews; and Norm Finn, Matt Squires, and Ali Sajassi for valuable discussion of the VPLS issues.

作者要感谢Marco Carugi在建立背景、工作方向和花时间在此领域进行讨论方面的合作;Tove Madsen和Pekka Savola提供有价值的意见和评论;以及Norm Finn、Matt Squires和Ali Sajassi对VPLS问题进行了有价值的讨论。

6. Normative References
6. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC3985] Bryant, S. and P. Pate, "Pseudo Wire Emulation Edge-to-Edge (PWE3) Architecture", RFC 3985, March 2005.

[RFC3985]Bryant,S.和P.Pate,“伪线仿真边到边(PWE3)架构”,RFC 39852005年3月。

[RFC4026] Andersson, L. and T. Madsen, "Provider Provisioned Virtual Private Network (VPN) Terminology", RFC 4026, March 2005.

[RFC4026]Andersson,L.和T.Madsen,“提供商提供的虚拟专用网络(VPN)术语”,RFC 4026,2005年3月。

[RFC4665] Augustyn, W., Ed. and Y. Serbest, Ed., "Service Requirements for Layer 2 Provider-Provisioned Virtual Private Networks (L2VPNs)", RFC 4665, September 2006.

[RFC4665]Augustyn,W.,Ed.和Y.Serbest,Ed.,“第二层提供商提供的虚拟专用网络(L2VPN)的服务要求”,RFC 46652006年9月。

7. Informative References
7. 资料性引用

[IEEE8021D] IEEE 802.1D-2003, "IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Bridges"

[IEEE8021D]IEEE 802.1D-2003,“局域网和城域网的IEEE标准:媒体访问控制(MAC)网桥”

[IEEE8021Q] IEEE 802.1Q-1998, "IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks"

[IEEE8021Q]IEEE 802.1Q-1998,“局域网和城域网的IEEE标准:虚拟桥接局域网”

[RFC1771] Rekhter, Y. and T. Li, "A Border Gateway Protocol 4 (BGP-4)", RFC 1771, March 1995.

[RFC1771]Rekhter,Y.和T.Li,“边境网关协议4(BGP-4)”,RFC 17711995年3月。

[RFC2661] Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn, G., and B. Palter, "Layer Two Tunneling Protocol "L2TP"", RFC 2661, August 1999.

[RFC2661]汤斯利,W.,瓦伦西亚,A.,鲁本斯,A.,帕尔,G.,佐恩,G.,和B.帕尔特,“第二层隧道协议“L2TP”,RFC 26611999年8月。

[RFC2796] Bates, T., Chandra, R., and E. Chen, "BGP Route Reflection - An Alternative to Full Mesh IBGP", RFC 2796, April 2000.

[RFC2796]Bates,T.,Chandra,R.,和E.Chen,“BGP路线反射-全网格IBGP的替代品”,RFC 2796,2000年4月。

[RFC3036] Andersson, L., Doolan, P., Feldman, N., Fredette, A., and B. Thomas, "LDP Specification", RFC 3036, January 2001.

[RFC3036]Andersson,L.,Doolan,P.,Feldman,N.,Fredette,A.,和B.Thomas,“LDP规范”,RFC 3036,2001年1月。

Authors' Addresses

作者地址

Loa Andersson Acreo AB

安德松·阿克雷奥律师事务所

   EMail: loa@pi.se
        
   EMail: loa@pi.se
        

Eric C. Rosen Cisco Systems, Inc. 1414 Massachusetts Avenue Boxborough, MA 01719

Eric C.Rosen Cisco Systems,Inc.马萨诸塞州伯斯堡马萨诸塞大道1414号,邮编01719

   EMail: erosen@cisco.com
        
   EMail: erosen@cisco.com
        

Waldemar Augustyn

瓦德马尔·奥古斯丁

   EMail: waldemar@wdmsys.com
        
   EMail: waldemar@wdmsys.com
        

Marty Borden

马蒂·波登

   EMail: mborden@acm.org
        
   EMail: mborden@acm.org
        

Juha Heinanen Song Networks, Inc. Hallituskatu 16 33200 Tampere, Finland

Juha Heinanen Song Networks,Inc.Hallituskatu 16 33200坦佩雷,芬兰

   EMail: jh@song.fi
        
   EMail: jh@song.fi
        

Kireeti Kompella Juniper Networks, Inc. 1194 N. Mathilda Ave Sunnyvale, CA 94089

Kireeti Kompella Juniper Networks,Inc.加利福尼亚州桑尼维尔市马蒂尔达大道北1194号,邮编94089

   EMail: kireeti@juniper.net
        
   EMail: kireeti@juniper.net
        

Vach Kompella TiMetra Networks 274 Ferguson Dr. Mountain View, CA 94043

Vach Kompella TiMetra Networks 274 Ferguson Mountain View博士,加利福尼亚州94043

   EMail: vach.kompella@alcatel.com
        
   EMail: vach.kompella@alcatel.com
        

Marc Lasserre Riverstone Networks 5200 Great America Pkwy Santa Clara, CA 95054

Marc Lasserre Riverstone Networks 5200大美洲Pkwy圣克拉拉,加利福尼亚州95054

   EMail: mlasserre@lucent.com
        
   EMail: mlasserre@lucent.com
        

Pascal Menezies

帕斯卡月经

   EMail: pascalm1@yahoo.com
        
   EMail: pascalm1@yahoo.com
        

Hamid Ould-Brahim Nortel Networks P O Box 3511 Station C Ottawa, ON K1Y 4H7, Canada

加拿大K1Y 4H7渥太华C站3511号邮政信箱哈米德·乌尔德·布拉希姆北电网络公司

   EMail: hbrahim@nortelnetworks.com
        
   EMail: hbrahim@nortelnetworks.com
        

Vasile Radoaca Nortel Networks 600 Technology Park Billerica, MA 01821

瓦西里·拉多卡北电网络600技术园马里兰州比勒里卡01821

   EMail: radoaca@hotmail.com
        
   EMail: radoaca@hotmail.com
        

Tissa Senevirathne 1567 Belleville Way Sunnyvale CA 94087

Tissa Senevirathne 1567加利福尼亚州桑尼维尔贝尔维尔路94087号

   EMail: tsenevir@hotmail.com
        
   EMail: tsenevir@hotmail.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2006).

版权所有(C)互联网协会(2006年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).

RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。