Virtual Private Networks are becoming an increasingly popular mechanism to interconnect multiple remote sites of a common entity, such as a corporation, university, governmental institution, or other enterprise. A VPN allows remote sites to interconnect as if colocated by providing message transport, security, and node addressing. Such a VPN interconnects multiple subnetworks, or local area networks (LANs), of an enterprise such as a corporation, university, or distributor, for example. The subnetworks, in turn, interconnect with each other via a private or public access network such as the Internet, intranets, VPNs and the like.
Such a subnetwork interconnection is typically known as a core network, and includes service providers having a high speed backbone of routers and trunk lines. Each of the subnetworks and the core networks have entry points known as edge routers, through which traffic ingressing and egressing from the network flows. The core network has ingress/egress points handled by nodes known as provider edge (PE) routers, while the subnetworks have ingress/egress points known as customer edge (CE) routers, discussed further in Internet Engineering Task Force (IETF) RFC 2547bis, concerning Virtual Private Networks (VPNs).
An interconnection between the subnetworks of a VPN, therefore, typically includes one or more core networks. Each of the core networks is usually one or many autonomous systems (AS), meaning that it employs and enforces a common routing policy among the nodes (routers) included therein. Accordingly, the nodes of the core networks often employ a protocol operable to provide high-volume transport with path based routing, meaning that the protocol not only specifies a destination (as in TCP/IP), Thus, the protocol does not merely specify a destination, as in TCP/IP; it implements an addressing strategy that allows for unique identification of end points, and also allows specification of a particular routing path through the core network. One such protocol is the Multiprotocol Label Switching (MPLS) protocol, defined in Internet Engineering Task Force (IETF) RFC 3031. MPLS is a protocol that combines the label-based forwarding of ATM networks, with the packet-based forwarding of IP networks and then builds applications upon this infrastructure.
Traditional MPLS, and more recently Generalized MPLS (G-MPLS) networks as well, extend the suite of IP protocols to expedite the forwarding scheme used by conventional IP routers, particularly through core networks employed by service providers (as opposed to end-user connections or taps). Routers, to date, have used complex and time-consuming route lookups and address matching schemes to determine the next hop for a received packet, primarily by examining the destination address in the header of the packet. MPLS has greatly simplified this operation by basing the forwarding decision on a simple label. Another major feature of MPLS is its ability to place IP traffic on a particular defined path through the network. Such path specification capability is generally not available with conventional IP traffic. In this way, MPLS provides bandwidth guarantees and other differentiated service features for a specific user application (or flow). Current IP-based MPLS networks are emerging for providing advanced services such as bandwidth-based guaranteed service, priority-based bandwidth allocation, and preemption services.
For each specific service, a table for a forwarding equivalence class (FEC) is created to represent a group of flows with the same traffic-engineering requirements. A specific label is then bound to an FEC. At the ingress of an MPLS network, incoming IP packets are examined and assigned a “label” by a label edge router (LER). The labeled packets are then forwarded along an LSP, where each label-switched router (LSR) makes a switching decision based on the packet's label field. Such LSRs avoid examining the IP headers of the packets to find an output port (next hop). An LSR simply strips off the existing label and applies a new label for the next hop. The label information base (LIB) provides an outgoing label (to be inserted into the packet) and an outgoing interface (based on an incoming label on an incoming interface).
Therefore, MPLS uses a technique called label switching (or swapping or popping) as a means to transport data across a network. The routers within an MPLS network that are responsible for label processing are known as Label Switching Routers (LSRs), and the path followed by data is known as a Label Switched Path (LSP). Upon entry to an MPLS network, such as from a CE router via a PE router, an MPLS-specific header is inserted at the front of each packet to in effect, re-encapsulate it. The MPLS header contains a stack of labels—one or more—that uniquely identify the switching path between any two LSRs. This label tells adjacent switching nodes how to process and forward the data. As each packet is received by a node, it may push a new label onto the stack of a packet before forwarding it on, pop one from the stack, or swap one or more of the labels with new ones. The path of the packet through the network is defined by its initial labeling. Accordingly, the subsequent mapping of labels is consistent at each node so as to form a complete label switched path between the ingress to and the egress from the MPLS network.
Therefore, a Virtual Private Network (VPN) typically employs one or more core networks to interconnect a plurality of local networks, such as LANs, by a VPN service operable to provide transport, routing and security to message traffic between the subnetworks, such that nodes of each sub-LAN can communicate with nodes of other sub-LANs as members of the same VPN. In a typical VPN arrangement, the particular subnetworks may be individual sites of a large business enterprise, such as a bank, retail, or large corporation, having multiple distinct sites each with a substantial subnetwork. A conventional VPN in such an environment is well suited to provide the transparent protection of communication between the subnetworks, such as ensuring protection of transported data via security and encryption, routing policies, and access control among valid users via privileges and access credentials, for example. Message traffic between the VPN subnetworks, therefore, egresses from an originating subnet via a CE router, enters a core network denoting an autonomous system (AS) via a PE router, and traverses one or more AS core networks to a remote PE router, where it enters a remote VPN subnet via a CE router operable to deliver the message traffic to an IP destination.