The present invention relates to the provision of virtual private network (VPN) services through carrier networks such as Metropolitan Area Networks (MANs) or Wide Area Networks (WANs).
A VPN emulates a private network over public or shared infrastructures. When the shared infrastructure is an IP network such as the Internet, the VPN can be based on an IP tunneling mechanism, as described in Request For Comments (RFC) 2764 published in February 2000 by the Internet Engineering Task Force (IETF). Another approach, more particularly concerned by the present invention, provides link layer connectivity for the devices affiliated to the VPN.
Traditional WAN data layer 2 services provided by carriers are based on the virtual circuit concept. Data units are switched within the carrier network along pre-established trails referred to as virtual circuits. These data units are for instance packets in X.25 networks, frames in Frame Relay (FR) networks, cells in Asynchronous Transfer Mode (ATM) networks, . . . The carrier network may also have a Multi-Protocol Label Switching (MPLS) architecture built over an infrastructure supporting a connectionless network layer protocol such as IP. MPLS is described in RFC 3031 published in January 2001 by the IETF. The virtual circuits within a MPLS network are referred to as Label Switched Paths (LSPs).
The virtual circuits can be pre-established by a configuration process, called “provisioning,” performed by the network operator: they are then called Permanent Virtual Circuits (PVC). Alternatively, they can be established dynamically on request from the customer equipment: they are then called Switched Virtual Circuits (SVC).
Providing a SVC service puts constraints on both the Provider Edge (PE) and the Customer Edge (CE) devices. Both must support a common signaling set-up protocol such as, e.g., the ATM Q.2931 signaling protocol for ATM switched networks. Signaling protocols are complex, they induce additional costs (equipment costs, operational costs . . . ) and they may cause interoperability problems. Inadequate operation of one CE may block a PE and hence interrupt the service for several other customers. Most of the time, higher-level protocols and applications have not been designed to properly drive such SVC signaling, and it is necessary to develop sub-optimal emulation modes (for instance LAN emulation, classical IP, . . . ). These issues can explain why SVC services have been so seldom deployed for FR and ATM networks.
On the other hand, providing a PVC service requires an agreement between the provider and the customer regarding the endpoints of each virtual circuit. Then it requires provisioning of each virtual circuit by the provider. Often, it also requires additional provisioning by the customer in the CE device, unless some special signaling allows CE devices to automatically discover the virtual circuits. In any case, these provisioning actions must be performed coherently between the provider and his customers, and they are a potential source of problems.
Recently, several vendors have been promoting Ethernet as a universal access media for LAN, MAN and WAN services. Several drafts presented at the IETF cover the way to signal and provision layer 2 virtual private network (L2 VPN) services based on an IP/MPLS infrastructure (see, e.g., Kompella et al., “MPLS-based Layer 2 VPNs”, Internet Draft, draft-kompella-ppvpn-l2vpn-00.txt, published in June 2001 by the IETF).
As specified in the IEEE standard 802.1Q approved in December 1998, Ethernet networks may support one or more Virtual Local Area Networks (VLANs). An Ethernet frame circulating in such a network may include, after the Medium Access Control (MAC) address, an additional field called tag header or Q-tag which contains a VLAN identifier (VID). Accordingly, a VLAN-aware Ethernet bridge has the ability to perform frame switching based on the VID, deduced either from the physical port from which the incoming frame is received or from the contents of its tag header. A VLAN is used for the layer 2 broadcasting and forwarding of frames within a sub-group of users (subscribers of that VLAN). For example, in a corporation, it is possible to define respective virtual LANs for various departments to enable selective broadcasting and forwarding of information in the layer 2 procedures.
It has been suggested that the concept of VLAN can be extended in the case where Ethernet traffic is transported over a MPLS network (see, e.g., Martini et al., “Transport of Layer 2 Frames Over MPLS”, Internet Draft, draft-martini-I2circuit-trans-mpls-07.txt, published in July 2001 by the IETF).
In such a case, a specific MPLS virtual circuit, or LSP, originating at a PE can be associated with each VLAN to forward the frames intended for subscribers of that VLAN. The CE sends tagged frames to the PE and the latter switches them to the relevant virtual circuits based on the ingress physical port and the VID.
It should be noted that this port/VID switching mechanism will achieve the full functionality of a IEEE 802.1Q network on the condition that the different hosts pertaining to any given VLAN of a VPN are not linked to the carrier network through more than two PE/CE interfaces. Otherwise, VLAN identification is not sufficient for the source PE to determine which is the destination PE or CE, i.e. whether a virtual circuit or physical port is to be used. When such constraint exists on the VLAN topology, the VPN service provided by the carrier can be referred to as a “virtual connection” or “point-to-multipoint” service.
Other types of VPN service do not rely on such port/VID switching at the PEs. For example, a full VLAN service (supporting more than two PE/CE interfaces per VLAN within a VPN) can be provided if the PEs are capable of performing MAC address learning and switching, like an Ethernet bridge. However, this is rather complex because the carrier has to store and maintain tables at the PEs, for associating a virtual circuit or physical port to any Ethernet MAC address found in a frame coming from the CE.
Because Ethernet media were designed from the beginning as a LAN technology, they do not provide the signaling mechanisms required for WAN SVC networks. So establishing Ethernet PVC across a WAN network requires provisioning in both PE and CE devices.
An object of the present invention is to alleviate these provisioning issues.
Another object is to provide for dynamic establishment of Ethernet-like SVCs without any signaling between CE and PE devices.
Another object is to provide an Ethernet-like VPN service of the virtual connection type without requiring changes in the CE devices. These devices should advantageously use regular Ethernet adapters, the upper layer protocols and applications remaining unchanged.