RE: WG review: Layer 2 Virtual Private Networks (l2vpn)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 18 Jun 2003, Vach Kompella wrote:
> > > - the IETF is too large, so we shouldn't be adding more work
> >
> > Yes.
> 
> So we should not do any new work?!

We should focus on the work that is more integral to IP and the Internet.

> > 1. Virtual Private LAN Service.  This is Internet-wise ethernet bridging
> > over routing protocols such as BGP, IS-IS, etc; further, this has
> > typically little respect for security implications which are implicit (or
> > even explicit) in LAN networks.
> >
> > So, my main points are:
> >
> >  - we must not overload routing protocols and such infrastructure (IMHO,
> > this seems an inevitable path the work would go towards..)
> 
> If you use LDP, it is NOT a routing protocol.  The specific mode of use
> (targeted LDP) is already described in RFC 3036.  The FECs are different, but
> the FEC TLV was defined in such a way as to be extensible.

Then LDP has been quite carefully cloaked as being one ("graceful restart 
for LDP, ..") :-)

The problem is of course also with the statement "If you use LDP..".  But
there also seem to be some interests in placing stuff elsewhere, like 
in BGP.

> >  - we must not create complexity by deploying ethernet bridging all over
> > the Internet.  Our work should be focused on making IP work, not
> > specifying Ethernet-over-IP (or worse, Ethernet-over-IP as a *service*).
> 
> Primarily, folks want to use it as in "Ethernet-over-MPLS".  That may not
> necessarily go down well with you either, but think of MPLS as a logical FR.
> Providers do not want to change their infrastructure, e.g., replace a FR cloud
> with an ATM cloud, then with SONET or GigE.  That's mega-expensive.  By
> abstracting the L2 using MPLS, they can provide the L2VPN service without
> wholesale infrastructure replacement.

Bridging networks at layer _3_ with VPN's is a bit questionable, but that 
is a bit more in our radar.  I don't think this is something we can 
endorse, as a model.
 
> >  - it is architecturally wrong: use different subnets, period -- that's
> > what those are meant for in the first place!
> 
> Use different subnets to create VPNs?  I don't understand what you mean.  VPLS
> and VPWS address a requirement for multiple domains (aka VPNs), logically
> distinct from and invisible to each other.

Why would you want to do something like:

                     __-----___
 Ethernet           (          )         The _same_ Ethernet
  segment =======  (  Internet  )  ===== segment!
                    (__     ___)
                       -----
Instead, build two separate ethernet segments: one with IP addressing from 
1.1.1.0/24 and the other from 1.1.2.0/24.  You may even want to build a L3 
VPN between the two.

But Ethernet?  That seems misguided.

> > 2. Virtual Private Wire Service
> >
> > This is slightly better as you're "only" performing point-to-point
> > communication.  Same considerations as above apply, to a slightly lesser
> > extent.
> >
> > Btw. how is this different from currently-specified GRE tunneling?  It
> > being made a "service"?
> 
> GRE-tunneling is one option, but only for the transport of the VC.  However, you
> need a demux field to identify the VC that you are carrying.  Carrying one
> customer VC between a pair of PEs is obviously not adequate.

I meant GRE tunneling between CPE's. :-)

> Tunneling is not new in the IETF.  The fact that you are tunneling what may be
> non-IP packets seems to be giving you the heebie-jeebies.  Why?  What about the
> tn3270, dlsw, netbios over ip work that has gone on in the past?  A little
> massaging to make the packet look like data to be carried over an IP network,
> and some implementation details at the edges.

I remember the multipoint media happen to have some assumptions about the 
network, e.g. the use of interpacket delay and the use collision 
detection.  These change a lot of when you expand the scope of an Ethernet 
beyond a physical segment.  Of course, these may not be always 
problematic, if you require switched Ethernet segments, but the thought is 
worrisome regardless.

Moreover, we work on an IP layer.  We enable IP layer to be able to handle 
our tasks.  If there is some problem why we cannot just use different IP 
subnets between the two (or multiple) end-points, we need to fix that 
problem, not burrow even further down the ISO layers.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]