1、 International Telecommunication Union ITU-T Y.1314TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2005) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Internet protocol aspects Transport Virtual private network functional decomposition ITU-T
2、Recommendation Y.1314 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.399 Interfaces and protocols Y.4
3、00Y.499 Numbering, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capabilities and resource managemen
4、t Y.1200Y.1299 Transport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 NEXT GENERATION NETWORKS Frameworks and functional architecture models Y.2000Y.
5、2099 Quality of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Numbering, naming and addressing Y.2300Y.2399 Network management Y.2400Y.2499 Network contro
6、l architectures and protocols Y.2500Y.2599 Security Y.2700Y.2799 Generalized mobility Y.2800Y.2899 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. Y.1314 (10/2005) i ITU-T Recommendation Y.1314 Virtual private network functional decomposition Summary This Recommend
7、ation describes the set of functions required to establish, operate and maintain client/server and peer level Virtual Private Networks (VPNs). The network functionality is described from a network level viewpoint, taking into account the VPN network layered structure, client characteristic informati
8、on, client/server associations, networking topology and layer network functionality. The functional models are described using the modelling methodology described in ITU-T Recs G.805 and G.809. The modelling methodology employed is network technology-independent and therefore the functional models a
9、nd associated functions described apply to all VPN layer network technologies. Source ITU-T Recommendation Y.1314 was approved on 14 October 2005 by ITU-T Study Group 13 (2005-2008) under the ITU-T Recommendation A.8 procedure. ii ITU-T Rec. Y.1314 (10/2005) FOREWORD The International Telecommunicat
10、ion Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a vi
11、ew to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommenda
12、tions is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for concise
13、ness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g., interoperability or applicability) and compliance with the Recommendatio
14、n is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INT
15、ELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights,
16、whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementors ar
17、e cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database. ITU 2006 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ITU-T Rec. Y.1314 (10
18、/2005) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 1 4 Abbreviations and Acronyms . 3 5 Client/server VPNs . 6 5.1 Client/server combinations. 7 5.2 VPN client layer transparency 9 6 Peer level VPNs 9 6.1 Packet/route filtering 10 6.2 Encryption 10 6.3 Ethernet VLANs. 11 7 Functional a
19、rchitecture of VPNs 12 7.1 Connection-orientated VPN layer networks. 13 7.2 Connectionless VPN layer networks 14 7.3 VPN client/server relationships 14 7.4 Multiple VPN client layers. 19 7.5 Multiple VPN server layers 21 7.6 VPN modelling using partitioning 23 7.7 VPN peer layer . 24 8 VPN topology
20、support 26 8.1 Full mesh VPN topologies 27 8.2 Partial mesh VPN topologies 27 8.3 Hub and spoke VPN topologies . 28 9 VPN QoS considerations 28 9.1 Circuit-switched layer networks. 29 9.2 Packet-switched layer networks . 29 10 Functions required for client/server VPN establishment 31 10.1 VPN server
21、 layer establishment . 31 10.2 VPN client layer authentication/configuration. 36 10.3 VPN client layer routing and signalling . 38 11 Functions required for peer level VPN establishment 41 11.1 VPN membership discovery. 41 11.2 CE/user authentication, authorization, and accounting (AAA) 42 11.3 VPN
22、peer layer routing. 42 11.4 VPN peer layer network element configuration. 42 12 VPN OAM functions 43 12.1 Fault management 43 iv ITU-T Rec. Y.1314 (10/2005) Page 12.2 Performance management 45 12.3 OAM activation/deactivation . 45 12.4 Defects relevant to each network mode 46 13 Functional convergen
23、ce and service scenarios. 47 13.1 Client/server VPN services scenarios. 48 13.2 Peer level VPN scenarios . 48 14 VPN security considerations. 48 Appendix I Location of VPN client layer TCPs/TFPs 49 Appendix II Client/server VPNs with multiple VPN server layers 52 Appendix III Examples of client/serv
24、er and peer level VPN service scenarios . 54 BIBLIOGRAPHY 57 ITU-T Rec. Y.1314 (10/2005) 1 ITU-T Recommendation Y.1314 Virtual private network functional decomposition 1 Scope This Recommendation describes the set of functions required to establish, operate and maintain client/server and peer level
25、Virtual Private Networks (VPNs). The network functionality is described from a network level viewpoint, taking into account the VPN network layered structure, client characteristic information, client/server associations, networking topology and layer network functionality. The functional models are
26、 described using the network technology-independent modelling methodology described in ITU-T Recs G.805 and G.809. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time
27、 of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A l
28、ist of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T Recommendation G.805 (2000), Generic functional architecture of transport networks. ITU-T
29、 Recommendation G.809 (2003), Functional architecture of connectionless layer networks. ITU-T Recommendation G.8010/Y.1306 (2004), Architecture of Ethernet layer networks. ITU-T Recommendation Y.1311 (2002), Network-Based VPNs Generic architecture and service requirements. 3 Definitions This Recomme
30、ndation uses the following terms defined in ITU-T Rec. G.805: 3.1 access point 3.2 access group 3.3 adapted information 3.4 characteristic information 3.5 client/server relationship 3.6 connection 3.7 connection point 3.8 layer network 3.9 link 3.10 link connection 3.11 matrix 3.12 network 2 ITU-T R
31、ec. Y.1314 (10/2005) 3.13 network connection 3.14 port 3.15 reference point 3.16 subnetwork 3.17 subnetwork connection 3.18 termination connection point 3.19 trail 3.20 trail termination 3.21 transport 3.22 transport entity 3.23 transport processing function 3.24 unidirectional connection 3.25 unidi
32、rectional trail This Recommendation uses the following terms defined in ITU-T Rec. G.809: 3.26 access point 3.27 access group 3.28 adapted information 3.29 characteristic information 3.30 client/server relationship 3.31 connectionless trail 3.32 flow 3.33 flow domain 3.34 flow domain flow 3.35 flow
33、point 3.36 flow point pool 3.37 flow termination 3.38 flow termination sink 3.39 flow termination source 3.40 layer network 3.41 link flow 3.42 network 3.43 network flow 3.44 port 3.45 reference point 3.46 traffic unit 3.47 transport 3.48 transport entity ITU-T Rec. Y.1314 (10/2005) 3 3.49 transport
34、 processing function 3.50 termination flow point This Recommendation uses the following term defined in ITU-T Rec. G.8010/Y.1306: 3.51 flow domain fragment This Recommendation uses the following terms defined in ITU-T Rec. Y.1311: 3.52 Layer 1 VPN 3.53 Layer 2 VPN 3.54 Layer 3 VPN This Recommendatio
35、n defines the following terms: 3.55 VPN client layer network: A topological component in a client/server VPN that represents the set of access points of the same type associated for the purpose of transferring VPN client layer characteristic information. 3.56 VPN server layer network: A topological
36、component in a client/server VPN that represents the set of access points of the same type associated for the purpose of transferring adapted VPN client layer information. 3.57 VPN peer layer network: A topological component that represents the set of access points of the same type associated for th
37、e purpose of transferring VPN peer layer characteristic information. 4 Abbreviations and Acronyms This Recommendation uses the following abbreviations and acronyms: AAA Authentication, Authorization and Accounting AAL ATM Adaptation Layer AG Access Group AI Adapted Information AIS Alarm Indication S
38、ignal AP Access Point ASON Automatically Switched Optical Network ATM Asynchronous Transfer Mode BFD Bidirectional Forwarding Detection BGP Border Gateway Protocol CAC Connection Admission Control CBR Constant Bit Rate CC Connectivity Check CE Customer Edge CI Characteristic Information CL-PS Connec
39、tionless Packet-Switched CO-CS Connection-Orientated Circuit-Switched CO-PS Connection-Orientated Packet-Switched 4 ITU-T Rec. Y.1314 (10/2005) CP Connection point CV Connectivity Verification DHCP Dynamic Host Configuration Protocol DLCI Data Link Connection Identifier DSCP Differentiated Services
40、Code Point DWDM Dense Wave Division Multiplexing EBGP External Border Gateway Protocol E-LMI External LMI ES End System FDF Flow Domain Flow FDFr Flow Domain Fragment FDI Forward Defect Indication FP Flow Point FPP Flow Point Pool FR Frame Relay FT Flow Termination FTP Flow Termination Point GRE Gen
41、eric Routing Encapsulation IGP Interior Gateway Protocol IKE Internet Key Exchange IPv4 Internet Protocol Version 4 IPv6 Internet Protocol Version 6 ISIS Intermediate System to Intermediate System L2TP Layer 2 Tunnelling Protocol LDP Label Distribution Protocol LF Link Flow LMI Local Management Inte
42、rface LOC Loss Of Continuity LOS Loss Of Signal LSP Label Switched Path MAC Media Access Control MP2P Multipoint-to-Point MP-BGP Multi-Protocol BGP MPLS Multi-Protocol Label Switching MTU Maximum Transmission Unit NE Network Entity NF Network Flow ITU-T Rec. Y.1314 (10/2005) 5 NMS Network Management
43、 System NSAP Network Service Access Point OAM Operations, Administration and Maintenance OOB Out Of Band OSI Open Systems Interconnection OSPF Open Shortest Path First OSS Operational Support System P Provider (Node) P2P Point-to-Point P2MP Point-to-Multipoint PCR Peak Cell Rate PE Provider Edge PM
44、Performance Monitoring PNNI Private Network-to-Network Interface PHP Penultimate Hop Popping PM Performance Monitoring PW Pseudo Wire QoS Quality of Service RADIUS Remote Authentication Dial In User Service RIP Routing Information Protocol RPR Resilient Packet Ring RMON Remote MONitoring RSVP-TE Res
45、ource ReserVation Protocol (with) Traffic Engineering (extensions) SCR Sustained Cell Rate SDH Synchronous Digital Hierarchy SES Severely Errored Second SLA Service Level Agreement SNC SubNetwork Connection SNMP Simple Network Management Protocol SONET Synchronous Optical NETwork SPVC Switched Perma
46、nent Virtual Circuit SSL Secure Socket Layer STP Spanning Tree Protocol SVC Switched Virtual Circuit TCP Termination Connection Point TDM Time Division Multiplexing TFP Termination Flow Point 6 ITU-T Rec. Y.1314 (10/2005) TTL Time-To-Live TTSI Trail Termination Source Identifier UNI User-to-Network
47、Interface VC Virtual Circuit/Channel VCCV Virtual Circuit Connectivity Verification VCI Virtual Channel Identifier VLAN Virtual Local Area Network VPI Virtual Path Identifier VPN Virtual Private Network WDM Wavelength Division Multiplexing 5 Client/server VPNs Client/server VPNs have a two-layer hie
48、rarchy in which a VPN server layer network is used to support one or more VPN client layer networks. ITU-T Rec. Y.1311 describes client/server VPNs in terms of VPN service types and VPN transport types, where the term VPN service type refers to the VPN client layer and the term VPN transport type re
49、fers to the VPN server layer. The different VPN service (client) and transport (server) types are classified in ITU-T Rec. Y.1311 as described below in Table 5-1. Table 5-1/Y.1314 Y.1311 service types Service Type Description Layer 1 Provides a physical layer service between customer sites belonging to the same VPN. Connections can be based on physical ports, optical wavelengths, SDH/SONET VCs, frequency channels, or timeslots. Layer 2 Provides a data link layer service between customer nodes belonging to the VPN. Forwarding of user data packet
