1 / 14

L2VPN RADIUS Auto-discovery and provisioning draft-ietf-l2vpn-radius-pe-discovery-01

L2VPN RADIUS Auto-discovery and provisioning draft-ietf-l2vpn-radius-pe-discovery-01. Mark Townsley, Greg Weber, Wei Luo, Skip Booth (Juha Heinanen) IETF 62. draft-ietf-l2vpn-radius-pe-discovery-01. Presented to RADEXT BOF, IETF-58 Adopted as L2VPN WG work item

dchapin
Télécharger la présentation

L2VPN RADIUS Auto-discovery and provisioning draft-ietf-l2vpn-radius-pe-discovery-01

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. L2VPN RADIUS Auto-discovery and provisioningdraft-ietf-l2vpn-radius-pe-discovery-01 Mark Townsley, Greg Weber, Wei Luo, Skip Booth (Juha Heinanen) IETF 62

  2. draft-ietf-l2vpn-radius-pe-discovery-01 • Presented to RADEXT BOF, IETF-58 • Adopted as L2VPN WG work item • Protocol-independent information model corresponding to multi-layered authorization • Different layers may map to different protocol-specific solutions based on deployments • RADIUS-specific mappings defined • Collapsible layers

  3. L2VPN Authorization Steps • Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc. 1. CE/AC Authorization – Attachment Circuit to VPN ID CE PE • 2. VPN Authorization – • VPN ID to PE Membership • 3. PW Authorization – • PE Membership to PW signaling

  4. L2VPN Authorization Steps • Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc. 1. CE/AC Authorization – Attachment Circuit to VPN ID CE PE • 2. VPN Authorization – • VPN ID to PE Membership VPN-ID=“101:14” • 3. PW Authorization – • PE Membership to PW signaling

  5. L2VPN Authorization Steps • Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc. 1. CE/AC Authorization – Attachment Circuit to VPN ID VPN-ID=“101:14” CE PE • 2. VPN Authorization – • VPN ID to PE Membership PE-A PE-B • 3. PW Authorization – • PE Membership to PW signaling

  6. L2VPN Authorization Steps • Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc. 1. CE/AC Authorization – Attachment Circuit to VPN ID CE PE • 2. VPN Authorization – • VPN ID to PE Membership PE-A PE-B • 3. PW Authorization – • PE Membership to PW signaling

  7. Changes in the -01 versiondraft-ietf-l2vpn-radius-pe-discovery • Updated terminology • Generalized from VPLS to VPLS/VPWS/etc. • Reduce L2VPN-specific requirements on RADIUS servers: e.g. make servers less stateful. • Defined RADIUS attributes to support the above

  8. Updated Terminology Latest terminology from: • draft-ietf-l2vpn-l2-framework-05 • draft-ietf-l2vpn-signaling-03 AII: Attachment Individual Identifier AC: Attachment Circuit AGI: Attachment Group Identifier AS: Autonomous System CE: Customer Equipment L2VPN: Layer 2 Provider Provisioned Virtual Private Network NAI Network Access Identifier NAS: Network Access Server PE: Provider Equipment SAI: Source Attachment Identifier SAII: Source Attachment Individual Identifier RADIUS: Remote Authentication Dial In User Service TAI: Target Attachment Identifier TAII: Target Attachment Individual Identifier VPLS: Virtual Private LAN Service VPN: Virtual Private Network VPWS: Virtual Private Wire Service

  9. RADIUS Attributes • VPN-IDRFC 2685, “Virtual Private Networks Identifier” • Router-Distinguisherdraft-ietf-l3vpn-rfc2547bis-03, “BGP/MPLS IP VPNs” • Attachment-Individual-IDdraft-ietf-l2vpn-signaling-03, “Provisioning Models and Endpoint Identifiers in L2VPN Signaling” • Per-Hop-BehaviorRFC 3140, “Per Hop Behavior Identification Codes” • PE-Router-IDdraft-ietf-l2vpn-signaling-03, “Provisioning Models and Endpoint Identifiers in L2VPN Signaling” • PE-AddressIP address of PE • PE-RecordPE-Router-ID + AII [+PW attributes/value pairs]

  10. RADIUS Transactions

  11. RADIUS Examples CE/AC Authorization Request User-Name = "providerX/atlanta@vpnY.domainZ.net" (CE NAI) NAS-IP-Address = "1.1.1.1" Response VPN-ID = "100:14" Request User-Name = "ATM14.0.1" (AC Name) NAS-IP-Address = "1.1.1.1" Response Router-Distinguisher = "1:1.2.3.4:10001"

  12. RADIUS Examples VPN Authorization Request User-Name = "100:14" (VPN-ID) NAS-IP-Address = "1.1.1.1" Response PE-Record = "2.2.2.2:14" (PE-Router-ID:AII) PE-Record = "2.2.2.2:15" PE-Record = "3.3.3.3:24" PE-Record = "3.3.3.3:25" Request User-Name = "100:14" (VPN-ID) NAS-IP-Address = "1.1.1.1" Response PE-Record = "2.2.2.2:14:PHB=256"

  13. RADIUS Examples Pseudowire Authorization Request User-Name = "2.2.2.2" (PE-Router-ID) NAS-IP-Address = "1.1.1.1" Attachment-Individual-ID = "14" VPN-ID = "100:14" Response Per-Hop-Behavior = "256"

  14. To do… • Address accountingSteps #1 & #3 most interesting • Address dynamic authorization changes (via RFC 3576) • Security, IANA • Scalability • Considerations for IPv6? • How do CE credentials get to the PE for authenticated “zero-touch” provisioning?

More Related