Virtual Private Networks (i.e., VPNs) provide a secured means for transmitting and receiving data between network nodes even though a corresponding physical network supporting propagation of the data is shared and accessible by many users. Data transmitted between such network nodes (e.g., edge nodes of a service provider network) mayor may not be encrypted prior to transmission across the physical network to protect against eavesdropping and tampering by unauthorized parties. Because such a physical network is shared, overall costs of using network resources is generally reduced.
In one application, the overall physical network includes (at its core) a service provider network such as a wide area network. Depending on configuration settings, the service provider network may support VPN connectivity between autonomous (or private) networks or groups of networks under a common administration. For example, networks disposed at two different sites across a service provider network may be selectively connected based on VPN links supported by the core service provider network.
A service provider network topology may include peripherally located provider edge routers, each of which couples to one or multiple customer edge routers. The customer edge routers, in turn, may couple to private local area networks associated with one or multiple customers. As discussed, the service provider network selectively couples the local area networks to each other through links created between the provider edge routers. The provider edge routers typically maintain configuration data such as Virtual Routing and Forwarding (VRF) information dictating how to route and forward traffic through the shared physical network to support corresponding VPNs.
Certain VPNs such as those supported by RFC2547 (Request For Comments 2547) do not require that PE-CE (Provider Edge-Customer Edge) sessions or PE-PE (Provider Edge-Provider Edge) sessions be authenticated. However, if deployed, conventional route authentication may involve a three step process. For example, end-to-end route authentication between a first and a second customer edge router may include: i) routing MD5 authentication between the first customer edge router and a corresponding first provider edge router, ii) routing MD5 authentication between the first provider edge router and a second provider edge router in a service provider network, and iii) routing MD5 authentication between the second provider edge router and second customer edge router.
Based on this technique of authenticating VPNs and associated VRF data at intermediate supporting nodes (e.g., CE-PE, PE-PE, and PE-CE sessions) of the physical network, attributes such as the VRF information associated with corresponding virtual private networks can be modified in response to corresponding customers requesting support for different VPN topologies. Typically, it is up to the service provider to ensure that VRF information stored at provider edge routers are properly updated and maintained to ensure appropriate connectivity between the autonomous local area networks coupled to the customer edge routers.