[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
minutes from the nov-12-03 L3VPN meeting
Below are the minutes from the meeting in Minneapolis last week. Many thanks to Sue Hares
for taking notes at the meeting.
The presentation slides will appear in the proceedings.
Rick, Ron, and Ross
----------------------------------------------------------------------------------------
L3VPN Working Group
Wed 11/12/03 9:00am - 10:00am
Agenda:
Agenda Bashing (5 minutes - chairs)
Working Group Document Status (15 minutes -- Ross Callon)
Charter: Ongoing/Future Work (15 minutes - Ron Bonica)
MPLS over L2TP (15 minutes - mark Townsley)
CE member authentication (20 minutes)
1) Document status (Ross Callon)
L3 Framework <draft-ietf-l3vpn-framework-00.txt>
IESG has approved for publication
L3 Service req'ts <draft-ietf-l3vpn-requirements-00.txt
IESG Review and/or update based on comments
Generic req'ts <draft-ietf-ppvpn-generic-reqts-03.txt>
IESG Review and/or update based on comments
Security Framework
Passed WG last call;
Being updated based on security directorate comments
BGP/MPLS IP VPNs and AS
<draft-ietf-l3vpn-rfc2547bis-01.txt>,
<draft-ietf-l3vpn-as2547-03.txt>
Passed l3vpn working group last call
Is currently in IDR working group last call
VR Architecture and AS
<draft-ietf-l3vpn-vpn-vr-01.txt> & <draft-ietf-l3vpn-as-vr-00.txt >
Base document is ready for WG last call
AS update expected soon after IETF
Both should go to WG last call as soon as AS is ready
CE/IPSec Architecture and AS
<draft-ietf-l3vpn-ce-based-01.txt> &
<draft-declercq-l3vpn-ce-based-as-00.txt>
Recent update to address mailing list comments:
Clarify CE operation in two distinct routing spaces and
management spaces
More description of tunnel establishment
More description of Internet connectivity
Awaiting update to AS
Security considerations and template
WG Last call expected soon
Guidelines of Applicability Statements for PPVPNs
<draft-ietf-l3vpn-applicability-guidelines-00.txt>
Long term disposition is still tbd
MPLS/BGP MIB <draft-ietf-ppvpn-mpls-vpn-mib-05.txt>
Needs update & MIB Doctor review
WG last call should occur relatively soon thereafter
Virtual Router MIB <draft-ietf-ppvpn-vr-mib-05.txt>
same status as MPLS/BGP MIB
CE MIB
TBD (do we need a MIB? - question to be addressed on mail list)
Req'ts for MPLS MIBs <draft-lai-mpls-mib-rqmts-00.txt>
L3vpn issues have been resolved.
Framework for PPVPN Op. & Man. <draft-ietf-l3vpn-mgt-fwk-00.txt>
Accepted as working group document at last IETF
Comments to l3vpn mailing list
Textual Conventions <draft-ietf-ppvpn-tc-mib-02.txt>
"Very Stable".
2547 for IPv6 <draft-ietf-ppvpn-bgp-ipv6-vpn-03.txt>
Charter is being updated to include IPv6
PE-PE IPsec for 2547 <draft-ietf-ppvpn-ipsec-2547-03.txt>
PE-PE GRE or IP for 2547 <draft-ietf-ppvpn-gre-ip-2547-02.txt>
BGP as Auto-Discovery <draft-ietf-ppvpn-bgpvpn-auto-05.txt>
All of above are stable, no significant recent updates
CE-to-CE Member Verif'n
<draft-ietf-ppvpn-l3vpn-auth-03.txt> and
<draft-ietf-Behringer-mpls-vpn-auth>
Possibility to reconcile the two approaches in a
single document - see below.
OSPF as PE/CE Protocol in BGP/MPLS VPNs
<draft-ietf-l3vpn-ospf-2547-00.txt>
Currently in WG last call
Last call extended to 11/21/2003 (5pm EST)
Related document <draft-ietf-ospf-2547-dnbit-01.txt>
in last call in the OSPF working group
2) Charter (Ron Bonica)
We have made progress and are nearing completion of many of our
original tasks (eg, Framework and Requirements Documents completed,
Security Frameworks passed WG last call, BGP/MPLS base spec and AS
passed l3vpn last call and are in IDR last call, ...). It is
therefore a good time to think about future work.
We propose updating the Charter for additional work items. We have
proposed to the IESG an update which adds support for IPv6. As the
current set of documents is completed, we will propose to also add
charter support for Multicast.
3) MPLS over L2TPv3 with BGP L3VPNs (Mark Townsley)
(see presentation)
Proposal: Edit current contribution to include BGP signaling along
with L2TP formats. Use this to create a new document which could
become draft-ietf-l3vpn-l2tpv3-2547-00.txt (if accepted as a working
group document).
Note that this would be in addition to existing documents:
draft-ietf-l3vnp-ipsec-2547-03.txt
draft-ietf-l3vpn-gre-ip2547-00
Discussion:
1) Yakov: There were some comments in opposition to this when
it was presented in MPLS. Security is an issue
a) Security review is needed (by security directorate)
b) Solution presented was not specific to L2TP.
c) justification needed for not using L2TP signaling
2) Ross: Why do we need another encapsulation? We already have
encapsulation over MPLS, GRE, and IPsec. Does this have an
advantage that these other encapsulations don't?
(response) There are already 4 encapsulations
MPLS over MPLS
MPLS over IPsec
MPLS over GRE
MPLS over IP
(Eric Rosen) We already have many many different tunnel types
in use in network. Service providers have preferences. We need
a specification for each.
Agreement, we should include the reasons why the
choices are being made.
Mark: The intention is to update the document before it would be
a working group document.
Ross: We can't accept a document as a working group document until
we have the document. Can you send an outline to the mailing list
with a description of what would be in the extended draft with the
articulation of the issues?
Mark: Yes, this makes sense.
Agreement: Will be discussed on the list.
3) Reconciling the L3VPN authentication Drafts
(also known as "Singing Kumbaya"), M Behringer, M. Bonica
We currently have two drafts related to authentication (one a working
group document, one an individual contribution):
1) Draft-ietf-l3vpn-l3vpn-auth
- provides the method through which the customers
can detect SP misconfiguration
- Does nothing to prevent misconfiguration
- delegates authentication task to the CE
- requires new functionality on the CE
2) Draft Behringer-mpls-vpn-auth
- reduces the probabilty of SP misconfiguration
- Does not allow customer to detect misconfiguration if
it does occur
- delegates the authentication task to the PE
- requires nothing new on the CE
We have two drafts. Option are: merge, let them both live, kill one.
We propose to merge the drafts.
Opportunity:
1) PE obtains the token from CE
original draft: BGP extended community received from CE
new protocol with CE
Hashed authentication key from CE-PE routing protocol
2) PE distributes token throughout SP network
3) PE
- Distribute to CE using BGP community or
new protocol
- User decides whether or not to authenticate
Convergence:
1) Converge on a common mechanisms for distribution
- Use a new BGP attribute
2) Add a third mechanism for obtaining token to
draft-ietf-l3vpn-l3vpn-auth
= Drive the token from the PE-CE MD5 key
3) Add a third application for the key at the egress PE
- Use it to decide whether to install the route
Discussion: (Ross Callon) Reasonable to update document. Comments on
the list.
(Ron Bonica) We would appreciate comments from Carrier's and
Service providers.
4) Michael Beringer: <draft-behringer-mpls-security-04.txt>
He wants to know what the disposition will be of his document
"Analysis of the Security of BGP/MPLS IP VPNs". He requests
that people send comments on the draft to the mailing list.
Ross: This makes sense. Please review the document to determine whether
it should become a working group document with the intention of being
published as Information. Send comments to the list. Requested that
Michael send a message to the mail list requesting feedback on the
beringer security draft. Michael agrees.