1. Field of the Invention
The present invention relates to communication networks and, more particularly, to a method and apparatus for supporting multiple customer provisioned EPSec VPNs.
2. Description of the Related Art
Data communication networks may include various computers, servers, nodes, routers, switches, bridges, hubs, proxies, and other network devices coupled together and configured to pass data to one another. These devices will be referred to herein as “network elements.” Data is communicated through the data communication network by passing protocol data units, such as data frames, packets, cells, or segments, between the network elements by utilizing one or more communication links. A particular protocol data unit may be handled by multiple network elements and cross multiple communication links as it travels between its source and its destination over the network.
The various network elements on the communication network communicate with each other using predefined sets of rules, referred to herein as protocols. Different protocols are used to govern different aspects of the communication, such as how signals should be formed for transmission between network elements, various aspects of what the protocol data units should look like, how packets should be handled or routed through the network by the network elements, and how information associated with routing information should be exchanged between the network elements. Two networks with the same network topography may operate in completely different ways depending on the particular protocols selected to enable the network elements to interoperate.
FIG. 1 illustrates an example communication network 10 in which VPN tunnels may be established to interconnect CEs connected to one or more VPN sites. As shown in FIG. 1, a service provider provides interconnectivity amongst Customer Edge (CE) network elements 12. A CE device 12 is a device which connects one or more VPN sites 14 to a Provider Edge node 16. Essentially, a CE device allows one or more VPN sites to interconnect with an external network so that one or more VPN sites may be interconnected over the communication network 10.
A Provider Edge (PE) node is a router which connects to one or more CE devices using a dynamic routing protocol to exchange CE reachability information. The PE connects with at least one other PE or P node. When handling Internet Protocol (IP) MultiProtocol Label Switched (MPLS) traffic, a PE node acts as a Label Edge Router which terminates Label Switched Path (LSP) tunnels used to forward traffic to other PE nodes. PE nodes may be directly connected to other PE nodes, or may be connected through other network elements such as backbone routers 18.
Backbone routers 18 are commonly designated in the industry by the letter P. The Provider “P” routers are backbone routers which provide interior gateway protocol connectivity between PE nodes. It may be possible for a given router to act as a PE node for some VPNs and as a P router for other VPNs, however, depending on the configuration of the communication network.
A Virtual Private Network (VPN) may be formed by securing communications between two or more networks or network elements to form a VPN tunnel, such as by encrypting or encapsulating transmissions between the networks or network elements. Using VPN tunnels enables geographically dispersed VPN sites to exchange information securely without obtaining dedicated resources through the network.
There are several common ways of establishing VPN tunnels on a network. For example, VPNs may be implemented at the Provider Edge (PE) network elements to allow the service provider to provision VPN services on behalf of the network customers. One common way to do this is described in Internet Engineering Task Force (IETF) Request For Comments (RFC) 2547, the content of which is hereby incorporated herein by reference. RFC 2547 describes a VPN architecture in which MultiProtocol Label Switching (MPLS)—based tunnels are used to forward packets over the network backbone. A protocol referred to as Border Gateway Protocol (BGP) is used to distribute routes over the backbone for VPNs provisioned through a particular PE network element. Routing information for the Provider-Provisioned VPNs is stored in a VPN routing and forwarding table (VRF) or a distinguishable area of the PE's common VRF.
A VPN also may be established by customers themselves independent of the provider by deploying CE network elements configured with VPN software. One common way to implement a CE-based VPN is to create Internet Protocol Security (IPSec) tunnels through the communication network. An IPSec based VPN uses point-to-point IPSec tunnels formed using an EPSec Security Association (SA) between every pair of CEs that are connected to VPN sites on the VPN. As the number of VPN sites grow, this point-to-point solution does not scale, since the number of SAs required to implement the VPN will increase on the order on n2. To overcome this, it is possible to use a group SA to enable all tunnels between the CEs on the VPN to use the same security association. A Group Controller Key Server (GCKS) may be used to manage the group security association for the VPN.
In a CE-based VPN, to enable devices on one VPN site to communicate with devices on another VPN site via an IPSec VPN tunnel, it is necessary to exchange VPN routing information between the two CEs connected to the VPN sites. The routing information enables the CEs to learn which VPN addresses may be reached via the VPN. As VPN sites and network elements are added and removed from the networks, the new routing information will be advertised to the other CEs connected to participating sites in the VPN.
Where MultiProtocol Border Gateway Protocol (MPBGP) is being used to distribute VPN routing information on a VPN, a given CE will establish an MPBGP peering session with every other CE with which it would like to exchange routing information. Where there are many CEs in the VPN, the GCKS may also serve as a route reflector to enable BGP routes to be exchanged between the various CEs by causing each CE to establish a single peering session with the route reflector, which will then distribute the routes to the other CEs.
Although the GCKS model of CE based VPNs is a single customer solution and supports a single VPN today, at times it may be desirable for a customer to be able to segregate traffic so that not all data is available to all users of the customer's network. For example, in a large corporation it may be desirable to segregate traffic between departments, so that each department is able to communicate securely without enabling other people in the company to have access to the data. An example of this may be where human resources has sensitive personal information about the corporation's employees that should not be made available to other persons within the corporation.
One way to implement multiple VPNs using a given CE is to cause the CE to instantiate multiple Virtual Routers, each of which may be used to handle traffic for a different VPN. A virtual router is a software construct in a physical router that has all the attributes of a physical router, but which shares processor time, switch plane resources, and other physical resources of the physical router. Because the virtual router is logically separate from other virtual routers, it has its own routing space, its own policy information, and is able to be provisioned much the same as any other router on the network. Virtual router based VPNs (VR-based VPNs) are described, for example, in an IETF Internet-Draft by Paul Knight, et al., entitled “Network-based IP VPN Architecture using Virtual Routers,” July 2002, the content of which is hereby incorporated herein by reference.
Conventionally, the use of virtual routers to implement multiple CE-based VPNs has required the CEs to obtain Security associations with multiple other CEs on a per-CE pair basis. Additionally, since the virtual routers are independent processes, each virtual router is required to exchange routing information with the other sites in its VPN. Thus, although multiple virtual routers may be used to implement multiple CE-based IPSec VPNs to segregate customer traffic, it would be advantageous to provide another way in which traffic for a given customer may be segregated using customer provisioned VPNs.