The present invention relates to virtual private network (VPN) services, and particularly to providing VPN services between two or more Autonomous Systems (AS).
Virtual Private Networks (VPN) are commonly used for connecting trusted parties or “sites” to each other over an untrusted (public) backbone network through a secure tunnel. Two sites have IP connectivity over the common backbone only if there is some VPN which contains them both. Two sites which have no VPN in common have no connectivity over that backbone. If all the sites in a VPN are owned by the same enterprise, the VPN may be thought of as a corporate “intranet”. If the various sites in a VPN are owned by different enterprises, the VPN may be thought of as an “extranet”. A site can be in more than one VPN; e.g., in an intranet and in several extranets. In general, when we use the term VPN, we will not be distinguishing between intranets and extranets. The owners of the sites are often referred to as the “customers”. The owners/operators of the backbone are often referred to as the “Service Providers” (SPs). The customers obtain “VPN service” from the SPs. A customer may be a single enterprise, a set of enterprises, an Internet Service Provider, an Application Service Provider, another SP which offers the same kind of VPN service to its own customers, etc.
Security and management considerations may render it advantageous to subdivide a large network into several network parts that need to know as little as possible of each other. This is especially important in the case where these network parts are managed by different service providers. These network parts are often referred to as Autonomous Systems (AS). The Autonomous System corresponds to an administrative domain, such as university, company, backbone network, etc.
The Internet Engineering Task Force (IETF) has defined a concept which allows Service Providers to offer Virtual Private Network (“VPN”) services to their customers. Each VPN site must contain one or more Customer Edge (CE) routers. Each CE router is attached, via some sort of attachment circuit, to one or more Provider Edge (PE) routers. CE routers are logically part of the customer's VPN, and PE and P routers are logically part of the SP's network. The attachment circuit over which a packet travels when going from CE to PE is known as that packet's “ingress attachment circuit”, and the PE as the packet's “ingress PE”. The attachment circuit over which a packet travels when going from PE to CE is known as that packet's “egress attachment circuit”, and the PE as the packet's “egress PE”. We will say that a PE router is attached to a particular VPN if it is attached to a CE router which is in a site of that VPN. Similarly, we will say that a PE router is attached to a particular site if it is attached to a CE router which is in that site. When the CE router is a router, it is a routing peer of the PE(s) to which it is attached, but it is not a routing peer of CE routers at other sites. Routers at different sites do not directly exchange routing information with each other; in fact, they do not even need to know of each other at all. As a consequence, the customer has no backbone or “virtual backbone” to manage, and does not have to deal with any inter-site routing issues. Each PE router maintains a number of separate forwarding tables, including VPN Routing and Forwarding tables (VRFs). Every PE-CE attachment circuit is associated, by configuration, with one or more VRFs. An attachment circuit which is associated with a VRF is known as a “VRF attachment circuit”. In the simplest and most typical case, a PE-CE attachment circuit is associated with exactly one VRF. When an IP packet is received over a particular attachment circuit, its destination IP address is looked up in the associated VRF. The result of that lookup determines how to route the packet. The VRF used by the packet's ingress PE for routing a particular packet is known as the packet's “ingress VRF”. The packet's “egress VRF”, is located at the packet's egress PE.
An Autonomous System AS has an Autonomous System Border Router for connections to other Autonomous System(s). The Border Gateway Protocol (“BGP”) is used to distribute the customers routes across the provider's IP (Internet Protocol) backbone network, and Multiprotocol Label Switching (“MPLS”) is used to tunnel customer packets across the provider's backbone. This is known as a “BGP/MPLS IP VPN”. More specifically, if two sites of a VPN attach to PEs which are in the same Autonomous System, the PEs can distribute VPN-IPv4 routes to each other by means of an IBGP connection between them. The term “IBGP” refers to the set of protocols and procedures used when there is a BGP connection between two BGP speakers in the same Autonomous System. This is distinguished from “EBGP”, the set of procedures used between two BGP speakers in different Autonomous. Systems. Alternatively, each can have an IBGP connection to a route reflector [BGP-RR]. MP-iBGP is employed between two routers within the same AS, and MP-eBGP is used between routers in different AS systems, as will be described below with reference to FIG. 3.
RFC2547bis (draft-ietf-I3vpn-rfc2547bis-03.txt, Internet Engineering Task Force (IETF): BGP/MPLS IP VPNS), especially Chapter 10, defines different ways for providing IP VPN service in a situation wherein the customer sites are attached to provider edge routers PE belonging to different Autonomic Systems (AS) managed by different service providers.
FIG. 1 illustrates the first inter-AS option (a) defined by RFC2547bis. In the example shown, provider edge routers PE1 . . . 4 are the ingress/egress PEs of a packet. CE routers are typically located at the customer's facilities. PE has a logical attachment circuit leading to a CE router and associated with the VPN Routing and Forwarding table (VRF) which implements the virtual network of the respective customer. In the inter-AS (a), the Autonomous System Border Routers ASBR are directly interconnected (i.e., there is no Label Switched Path LSP or Multiprotocol Label Switching MPLS network between thereof). VRFs are distinguished from each other by means of a physical or logical connection between the ASBR routers so that the VRFs implementing the same VPN are associated with each other using a different physical connection or subconnection (logical connection). In the example shown FIG. 1, VRF1 in the ASBR1 and VRF1 in the ASBR2 are associated with each other. The routing of the VPN routes for this option (a) is as follows. Let us consider the case where a router CE1 at the customer's site advertises the IP network ‘10.0.0.0/24’ to the edge router PE1 by means of an eBGP session. The router PE1 installs the network ‘10.0.0.0/24’ to an appropriate VRF (e.g. VRF1) and thereafter advertises the network ‘10.0.0.0/24’ further to other PE routers (such as PE2, ASBR1) within the MPLS network of the same Autonomic System AS by means of the MP-iBGB protocol. As a result, also ASBR1 receives the advertisement and installs the route to a VRF. The ASBR1 then advertises the route as a normal IPv4 route to the ASBR2 by means of the eBGP protocol. The ASBR2 advertises the route to other PE routers (e.g. PE3,PE4) within its own Autonomic System AS by means of the MP-IBGP protocol, the other PE routers then advertising the route as a normal IPv4 route to the CE routers.
A problem in this option (a) is that the MPLS technique cannot be used between the ASBR routers but the use of logical or physical connection is required in the manner described above. Routing of the VPN routes requires one session per each VPN, which can also prevent scalability to a large number of VPNs.
FIG. 2 illustrates the second inter-AS option (b) defined by RFC2547bis. In this option, no actual VRFs are maintained in the ASBR routers. The ASBR routers have to maintain the VPN routes but they are not installed to VRFs. VPN route information, which also contains a label (VPN label) used for the respective route, is distributed using the MP-eGBP protocol. Typically the ASBR router rewrites the next hop attribute in the BGP message to address the ASBR router itself. Thus, the packet transferred between ASBR routers is labelled with a VPN label but contains no Packet Switched Network (PSN) label, due to which there can be no MPLS network with a PSN tunnel between the ASBR routers. This would be needed if more than two ASBR routers were interconnected to each other, or if the ASBR routers were remote from each other and MPLS technique were employed in the switching layer. Otherwise, the routing of the VPN route is similar to that of the option (a), expect that the a single MP-eBGP session is used between the ASBR routers to distribute the VPN-IPv4 addresses, and several eBGP sessions are not required for that purpose.
A problem in this option (b) is that a label switched path is needed between the ingress and the egress PEs, because the ASBR routers will not terminate the label switched path to a VRF instance. In this case, a label switched path is formed with VPN labels which are distributed by means of the MP-BGP protocol. As routes are not installed in a VRF, the service providers must take care of filtering of RT attributes for security reasons. The option (b) does not require use of subconnections to associate VRFs between the ASBR routers, which is an advantage over the option (a).
FIG. 3 illustrates the third inter-AS option (c) defined by RFC2547bis. In this option, the eBGP protocol is used between the ASBR routers to advertise an IPv4 address of the ingress edge routers (PE1 . . . PE4 in the example shown in FIG. 3) and a corresponding label to other Autonomous Systems AS. This way, a label switched path is provided between the ingress and the egress PEs of the packet. In this case, there is a PSN tunnel within which the VPN labels are transferred. VPN-IPv4 routes and VPN labels are typically distributed by means of a VPN Route Reflector. Each PE router (e.g. PE1,PE2,ASBR1, or PE3,PE4, ASBR2) in the same Autonomic System AS has an MP-iBGP session to a VPN Route Reflector of the specific AS. VPN Route Reflectors of different ASs exchange the VPN-IPv4 using the MP-eBGP protocol. However, label switched paths between several edge routers of different service providers pose a security risk. An advantage of the option (c) is that the ASBR router does not need to maintain VPN routes.