1、INTERNATIONAL TELECOMMUNICATION UNION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Y.131 I .I (07/2001) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE AND INTERNET PROTOCOL ASPECTS Internet protocol aspects - Transport Network-based IP VPN over MPLS architecture ITU-T Recommendation YA31 1 .I
2、(Formerly CCIlT Recommendation) ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE AND INTERNET PROTOCOL ASPECTS GLOBAL INFORMATION INFRASTRUCTURE General Services, applications and middleware Network aspects Interfaces and protocols Numbering, addressing and naming Security Performanc
3、es General Services and applications Transport 4 Interworking Quality of service and network performance Signalling Operation, administration and maintenance Charging Operation, administration and maintenance INTERNET PROTOCOL ASPECTS I Architecture, access, network capabilities and resource managem
4、ent IX Y. 100-Y. 199 Y.200-Y.299 Y.300-Y.399 Y.400-Y.499 Y.500-YS99 Y.600-Y .699 Y.700-Y.799 Y.800-Y.899 Y. 1000-Y. 1099 Y. 1 100-Y. 1 199 Y. 1200-Y. 1299 Y.1300-Y.1399 Y.1400-Y.1499 Y.1500-Y.1599 Y. 1600-Y. 1699 Y. 1700-Y. 1799 Y.1800-Y. 1899 Il For firther details, please refer to the list of ITU-
5、T Recommendations. ITU-T Recommendation Y.1311.1 Network-based IP VPN over MPLS architecture Summary This Recommendation specifies service requirements and a number of architectural approaches that are applicable to the provision of network-based virtual private networks by Service Providers using I
6、P technology over an underlying MPLS-based infrastructure. Source ITU-T Recommendation Y.1311.1 was prepared by ITU-T Study Group 13 (2001-2004) and approved under the WTSA Resolution 1 procedure on 13 July 200 1. Keywords Internetwork Protocol (IP), IP VPN, Multiprotocol Label Switching (MPLS), Vir
7、tual Private Network (VPN). ITU-T Y.1311.1(07/2001) 1 FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for s
8、tudying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study g
9、roups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis wit
10、h IS0 and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. INTELLECTUAL, PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this
11、Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date o
12、f approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementors are cautioned that this may not represent the latest information and are therefore strongly urged to consult th
13、e TSB patent database. o ITU 2001 All rights reserved. No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from . 11 ITU-T Y.1311.1 (07/2001) CONTENTS Page 1 2 3 3.1 3.2 4
14、 5 6 6.1 6.2 7 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 Introduction . Scope . References . Normative references Informative references Abbreviations Network-based IP VPN over MPLS reference model Service definition Functional defmition of a “network-based IP VPN (over MPLS)“ Quantitative
15、definition of a “network-based IP VPN (over IVPLS)“ . Service requirements . Multi-vendor interoperability . Service management capabilities 7.2.1 Network connectivity 7.2.2 Service monitoring 7.2.3 Security management features . Security functions . 7.3.1 Introduction . 7.3.2 VPN isolation 7.3.3 VP
16、N user identification . 7.3.4 VPN user authentication 7.3.5 Securing the flows . 7.3.6 Peer identification 7.3.7 Peer authentication 7.3.8 Site protection . 7.2.4 SLA and QoS management features Support of various Quality of Service requirements Support of various routing protocols (at edge and core
17、 levels of the SP network) Scalable routing capabilities . Auto-discovery Support of various types of customer IP traffic Support of various VPN topologies Support of various customer access scenarios Addressing requirements and support of various IP numbering schemes CE access to PE ITU-T Y.1311.1
18、(07/2001) 1 1 2 4 4 4 5 5 5 6 6 7 8 9 10 10 12 12 13 13 13 14 14 14 15 16 16 16 16 16 16 16 iii 7.13 7.14 7.15 7.16 7.17 7.18 7.19 7.20 7.2 1 7.22 8 8.1 8.2 8.3 8.4 9 9.1 9.2 10 10.1 10.2 10.3 Support of various service deployment scenarios . The solution should allow outsourcing of IP services (e.g
19、. DNS. DHCP) . Reliability and fault tolerance . Efficiency (customer and network resource utilization) . No dependency on the physical or link layer of the Service Provider backbone . Support of alliances of VPNs (Economically and technically) smooth migration of customers from pre-existing VPN ser
20、vice offerings . Support of interworking functions between MPLS-based VPN technology and other VPN technologies Some numerical assumptions for a network-based IP VPN Service Provider A VPN solution may support the following service requirements . offering Framework architecture Learning customer-sit
21、e reachability information Distributing VPN reachability information Constrained distribution of routing information . LSP tunnelling establishment and usage Approaches for support of network-based IP VPN services BGPMLS VPN approach Virtual Router approach 9.2.1 Virtual Router 9.2.2 VR-based VPN ar
22、chitecture building blocks . 9.2.3 VR-based VPNs deployment scenarios . 9.2.4 VPN reachability determination 9.2.5 VPN membership and topology determination . 9.2.6 Operations and management . 9.2.7 Security considerations 9.2.8 VPN Quality of Service . 9.2.1 O Hierarchical relationship between VR-b
23、ased VPNs 9.2.9 Scalability QoS approaches “Point-to-Cloud“ SLS . “Point-to-Point“ SLS . 10.2.1 “Point-to-Point“ SLS via resource allocation policies . 10.2.2 “Point-to-Point“ SLS via resource allocation policies and additional mechanisms (explicit in-band admission control. constraint-based routing
24、) “COS transparency“ . Page 17 17 18 18 18 18 19 19 19 19 20 20 20 20 21 21 21 22 22 23 23 25 26 26 27 27 27 27 31 31 31 32 32 33 iv ITU-T Y.1311.1 (07/2001) Page 1 1 Inter-Autonomous System (Inter-Service Provider) VPN 12 Interworking 12.1 Interworking between different solutions . 12.1 . 1 Motivat
25、ion for interworking among MPLS VPNs 12.1.2 Assumptions 12.1.3 Service interworking with other VPN architectures . Functional capabilities for interworking among MPLS VPNs 12.2 Annex A . MPLS VPNs over non-MPLS core network infrastructures . Appendix I . Examples of service interworking with other V
26、PN architectures . Appendix II . Bibliography . 34 34 34 34 35 36 38 38 39 41 ITU-T Y.1311.1(07/2001) V ITU-T Recommendation Y.1311.1 Network-based IP VI“ over MPLS architecture 1 Introduction A crucial need exists to specify mechanisms to support IP virtual private networks over MPLS networks. Furt
27、hermore, it is clear that Recommendations must describe and specify ways of developing interoperable implementations in order to allow end-to-end service delivery across multi- vendor service provider infrastructures. Service providers have urgent needs to deploy IP VPN services over MPLS infrastruc
28、ture and they require carrier-class and fully interoperable implementations. 2 Scope This Recommendation provides a general description of network-based IF VPN services and requirements including network architectures and interworking aspects between a set of possible approaches. The IP VPN service
29、requirements and supporting network architectures are intended to provide input and guidelines for the definition of protocol enhancements which may be developed by the IETF and other standardization entities for the support of IP VPNs. Although this description primarily addresses MPLS-based networ
30、ks, it is envisaged that some of these requirements may also apply to other IP-based network architectures using other technologies for the creation of network-based IP VPNs. Examples of these include GRE, IP within IP, IPSEC. Another Recommendation, ITU-T Y. 13 1 1, currently under development, wil
31、l provide a generic architecture and service requirements for IP VPNs. 3 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated are
32、valid. All Recommendations and other references are subject to revision; all users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommen
33、dations is regularly published. 3.1 Normative references 13 2 ITU-T Y. 1241 (2001), Support of IP based services using IP transfer capabilities. ITU-T Y. 13 10 (2000), Transport of IP over ATM in public networks. 3.2 Informative references 3 4 5 6 IETF RFC 2764 (2000), A Framework for IP Based Virtu
34、aZ Private Networks. IETF RFC 303 1 (2001), Multiprotocol Label Switching Architecture. IETF RFC 2547 (1999), BGPMPLS VP“. IETF RFC 291 7 (2000), A Core MPLS IP I?“ Architecture. ITU-T Y.1311.1(07/2001) 1 i73 i83 i93 i101 i111 i121 4 IETF RFC 2998 (2000), A Framework for Integrated Services Operatio
35、n over Diflsew Networks. IETF RFC 2475 (1 998), An Architecture for Dzgerentiated Services. IEEE802.1 Q (1 998), IEEE Standard for local and metropolitan area networks: virtual bridged local area network. ITU-T Y. 13 1 1 (Draft), IP WNs - Generic architecture and service requirements. ITU-T Y .iptc
36、(Draft), Trafic control and congestion control in IP networks. ITU-T Y. 1720 (Draft), Protection switching for MPLS networks. Abbreviations AAA ATM BAS BGP CE CHAP cos CR-LDP DHCP DLCI DNS DS DSCP DSL DVMRP EXP FR FTP GRE HTTP IETF IGP IP VPN IP IPSEC ISDN IS-IS This Recommendation uses the followin
37、g abbreviations: Authentication, Authorization and Accounting Asynchronous Transfer Mode Broadband Access Server Border Gateway Protocol Customer Edge (device) Challenge Handshake Authentication Protocol Class of Service Constraint-based Routing Label Distribution Protocol Dynamic Host Configuration
38、 Protocol Data Link Circuit Identifier Domain Name Server Differentiated Services Differentiated Service Code Point Digital Subscriber Line Distance Vector Multicast Routing Protocol MPLS Experimental Field Frame Relay File Transfer Protocol Generic Routing Encapsulation Hypertext Transfer Protocol
39、Internet Engineering Task Force Interior Gateway Protocol IP Virtual Private Network Internet Protocol IP Security Integrated Services Digital Network Intermediate System to Intermediate System 2 ITU-T Y.1311.1 (07/2001) L2TP LDAP LSP LSR MD5 MIB MPLS NAS NAT NNTP OAM OSPF P PAP PE PHB PHP PIM POS P
40、PP PSTN QOS RADIUS RIP RSVP SLA SLS SMTP SNMP SP TACACS TCI TE TMN TOS vcc VCI Layer 2 Tunnelling Protocol Lightweight Directory Access Protocol Label Switched Path Label Switching Router Message Digest 5 Management Information Base Multiprotocol Label Switching Network Access Server Network Address
41、 Translation Network News Transfer Protocol Operations, Administration and Maintenance Open Shortest Path First Provider (Core router) Password Authentication Protocol Provider Edge (router) Per Hop Behaviour Penultimate Hop Popping Protocol Independent Multicasting Packet Over Sonet/SDH Point-to-po
42、int Protocol Public Switched Telephone Network Quality of Service Remote Authentication Dial In User Service Routing Information Protocol Resource Reservation Protocol Service Level Agreement Service Level Specification Simple Mail Transfer Protocol Simple Network Management Protocol Service Provide
43、r Terminal Access Controller Access Control System Tag Control Information Traffic Engineering Telecommunications Management Network Type of Service Virtual Channel Connection Virtual Circuit Identifier ITU-T Y.1311.1(07/2001) 3 VLAN Virtual Local Area Network VOIP Voice over IP VPI Virtual Path Ide
44、ntifier VPN Virtual Private Network VPN-ID VPN Identifier VR Virtual Router 5 Network-based IP VPN over MPLS reference model VPN B/Site 2 10.4.0.0/16 VPN B/Site 3 u T1318130-01 Figure 1N.1311.1- Network-based IP VPN over MPLS reference model NOTE - Figure 1 uses IPv4 address network prefix notation.
45、 6 Service definition 6.1 A network-based IF VPN provides a layer 3 service to customers. A customer site is connected to the Service Provider network-based IP VPN, and the IP VPN takes care of routing packets to the correct customer destination. With a network-based IP VPN, the Functional definitio
46、n of a “network-based IP VPN (over MPLS)“ 4 ITU-T Y.1311.1(07/2001) provider edge routers are responsible for learning and distributing among themselves the customer layer 3 reachability information. Consider a set of “sites“ which are attached to a common network which may be called the “backbone“.
47、 If some policy is applied to create a number of subsets of that set with the following rule: two sites may have IP interconnectivity over that backbone only if at least one of these subsets contains them both. The resulting subsets are “Virtual Private Networks“ (VPNs). Two sites have IP connectivi
48、ty over the common backbone only if there is some VPN which contains them both. Two sites which have no VPN in common have no connectivity over that backbone. If all the sites in a VPN are owned by the same enterprise, the VPN is a corporate Yntranet“. If the various sites in a VPN are owned by diff
49、erent enterprises, the VPN is an “extranet“. A site can be in more than one VPN, e.g. in an intranet and in several extranets. In general, the use of the term VPN does not distinguish between intranets and extranets. Consider the case in which the backbone is owned and operated by one or more Service Providers (SPs). The owners of the sites are the “customers“ of the SPs. The policies that determine whether a particular collection of sites is a VPN are the policies of the customers. Some customers will want the implementation of these policies to be entirely the responsib
