A virtual router approach in combination with
MPLS is described in [RFC2917]. Compared to
BGP-VPNs (called overlay models in the RFC),
no modifications are needed for the routing pro-
tocol applied. A virtual router is described as a
collection of threads, either static or dynamic in
a router, that provides routing and forwarding
services. These services are similar as if physical
routers have been applied. A virtual router is set
up to give the illusion that a physical router is
present. Therefore it provides an element in the
(virtual) routing domain. Hence, given that the
virtual router connects to a specific (logically
discrete) routing domain and that a physical
router can support multiple virtual routers, it
follows that a physical router supports multiple
(logically discreet) routing domains, [RFC2917].
It is further stated that the following aspects of a
router must be emulated:
- Configuration of any combination of routing
protocols; - Monitoring of the network;
- Trouble shooting.
Independent of VPN types a set of requirements
can be identified, including security, manage-
ability, interoperability, scalability, traffic engi-
neering and QoS/SLA/SLS support. A Service
Level Specification (SLS) may be defined for
each VPN, VPN site, interface, or similar. Target
values and measurement procedures for a set of
parameters are typically defined, including:
- Traffic values (bit rates) and QoS values for
each service class and for aggregates; - Ways of handling non-conformant traffic;
- Availability for a site, for the VPN or for the
interface; - Duration of outage times per site, route, VPN,
etc.; - Time for activating a new service;
- Response time for trouble reporting;
- Repair time.
A VPN may carry traffic flows for several types
of applications. Some flows may have real-time
requirements, while others are more elastic.
Hence, both the IntServ model for selected indi-
vidual flows and DiffServ for aggregated flows
might be requested within a VPN (see [Jens01]
for description of IntServ and DiffServ). A spe-
cific requirement is that the class assigned to a
traffic flow at the ingress of the VPN should be
kept on the egress of the VPN (called service
class transparency). An example of this is to
keep the packet’s assignment to the DiffServ
class.Different types of encapsulation may be used for
the tunnels:- MPLS, as described in [Jens01]. Labels are
attached to the IP packets which give the for-
warding treatment and the Label Switched
Path (LSP) to follow. Several LSPs may be
multiplexed into other LSPs. This requires
state information per VPN. Some differentia-
tion may be supported. LSPs may be estab-
lished and maintained by signalling or man-
agement procedures. - IPSec, as described in Section 7.3.1. Multi-
plexing may be supported and the Internet
Key Exchange (IKE) protocol is used for
establishing and maintaining protocols. - Generic Routing Encapsulation (GRE), being
a protocol for encapsulating any payload pro-
tocol over any link (delivery) protocol (e.g.
IP-in-IP). Multiplexing is not supported and
there are no specific procedures for establish-
ing and maintaining the tunnels. - IP-in-IP, referring to encapsulating IP packets
within other IP packets as described in Section
3.1.
A VPN membership refers to the association of
VPNs, CEs and PEs. A certain CE belongs to
one or more VPNs. The set of VPNs that a PE is
involved in may change over time due to added
or deleted customer networks or their changed
configurations. Appropriate means for distribut-
ing VPN membership information must there-
fore be implemented.In case the provider network (at least PE routers)
operates on layer 3 (that is examines IP packet
headers), independent forwarding tables could
emerge for each VPN, sometimes referred to
as a VPN forwarding instance (VFI). This also
resembles the virtual router concept. A VFI is a
logical entity in a PE containing router informa-
tion base and forwarding information base for a
VPN. The VFI terminates tunnels for intercon-
necting with other VFIs and terminates access
connections for connected CEs.7.2.2 VPN by MPLS and BGP
A method for providing the VPN service in an
IP-based backbone using MPLS and BGP is
described by [RFC2547]. MPLS is used for for-
warding (tunnelling), while BGP is used for dis-
tributing routing information. In this way a VPN
is established which itself may provide IP ser-
vices to customers (e.g. considered as a “whole-
sale VPN”). The common backbone can then be