Cisco IP/MPLS Interprovider Solution Deployment Overview

...(略)

Inter-AS/Interprovider specification in RFC2547bis

IETF, RFC2547bis, Paragraph 10 :
.10A: Simple IP interconnect: The other network looks like a CE for each cross-SP VPN

.10B: Trusted MPLS interconnect: One logical connection for all VPN’s but VPN routes still have to be maintained on provider border routers

.10C: Trusted and even more scalable MPLS interconnect: Provider border routers don’t have to maintain VPN routes










...(略)

Autonomous system interconnect using content identification and validation

...(略)

[0010] The industry has standardized on a few Inter-Autonomous System (AS) models that the service providers may deploy. The current industry standards for Inter-AS solutions include the models defined as 10a, 10b, and 10c.

[0011] The first model defined and deployed by many service providers is the 10a model. The 10a model requires the provider to build on their ASBR a VRF per VPN, a unique peering interface per VRF, and a unique routing process per VRF. The peer ASBR does the same thereby creating a one-for-one relationship between the two ASBR's. The advantages of the 10a model include discrete interfaces facilitating QoS mechanisms and explicit resource management methods that protect the memory and processing resources. Likewise, the exposure of the ASBR and the attached network is limited.

[0012] The second model defined and deployed by a few service providers is the 10b model. The 10b model only requires the provider to build a single interface for each peer and a single routing process on the interface. The routing process (MP-BGP) is able to maintain the segregation of VPN prefixes without having to use discrete VRF's per enterprise VPN. The advantages include less memory consumption for the routing prefixes and interfaces, less processor consumption for the routing process, and automatic VPN session binding between the ASBR's.

[0013] The third model defined and rarely deployed by service providers is the 10c method. The 10c model only requires the provider to build a single interface for each peer and a single routing process on the interface. A routing process (MP-BGP) is able to maintain the segregation of VPN prefixes without requiring a presence on the ASBR. The advantages include even less memory consumption for the routing prefixes since the VPN prefixes are passed around the ASBR. The ASBR has even less processor consumption since the ASBR serves as a core device providing connectivity between the two AS's.

[0014] The two most commonly used models--10a and 10b--have orthogonal capabilities. Where 10a is strong, 10b is weak and vice-a-versa. Table 1 provides a synopsis of the existing solutions. TABLE-US-00001 TABLE 1 ASBR 10a 10b 10c Routing Many One One Interfaces Many One One Memory Per-prefix Per-label Per-label QoS Per-VPN Global Global Configuration Manual Dynamic Dynamic Resource Strong Weak Weak Security Strong Weak Very Week

[0015] Routing processes are complex state machines that keep track of the prefixes and the paths to reach the prefixes. Routing processes can be constrained by a number of factors such as the number of peers or adjacencies, the number of routing entries, and the number of potentially viable paths for each routing entry. As the number of prefixes and interfaces increase, the computation complexity increases thereby requiring more processor schedule time. Excessive computational routing complexity on the ASBR may impact any or all the VPN's. As shown in Table 1, the 10a method requires many routing processes, while the 10b and 10c methods require a single routing process.

[0016] Interfaces consume memory constructs and typically require an operator to configure the interface and the associate peer entity. The cost of a VPN interface is usually not too cumbersome in an Inter-AS solution as the number of VPNs is typically small. Nevertheless, the interface must be created and correctly associated with the appropriate customer. The 10a method requires many interfaces, while the 10b and 10c methods require a single interface.

[0017] Memory is allocated for VPN prefixes. VPN prefixes can create a resource burden on the ASBR. The number of prefixes is not directly controlled by a single provider or customer, but by the aggregate set of operators and customers. For this reason, memory allocated for VPN prefixes may be very precious. The 10a method requires memory on a per-prefix basis, while the 10b and 10c methods require memory on a per-label and per-prefix basis.

[0018] The customers of the MPLS VPN are particularly interested in QoS, especially at provider boundaries where SLA's tend to be difficult to enforce. Each enterprise has unique QoS requirements that may be difficult to handle in aggregate; however, provisioning a QoS model per customer is also a challenge especially when there is no discrete point where the QoS model may be applied. The 10a method allows QoS on a per-VPN basis, whereas the 10b and 10c methods only allow QoS on a global basis.

[0019] The Inter-AS model requires a configuration that establishes a relationship between the ASBR's for each VPN. The configuration should be simple to implement and should be easy to replicate. All methods require manual configuration, either through CLI or a management tool, although 10a has additional configuration burden due to the number of VRFs/interfaces required.

[0020] Resources (memory, interfaces, and processor schedule time) are precious for a service provider. In particular, the provider is interested in conducting "One Time Provisioning" for many services. In addition, the management of the allocated resources can become a burden. To minimize the Operation Expenditures, the provider will frequently over-provision many of the components in a solution if the Capital Costs of the components are negligible. On the contrary, the expensive components are monitored closely and judiciously allocated. Resource management plays a critical role insuring SLA's are met. The 10a method provides strong resource management, while the 10b and 10c methods provide weak resource management.

[0021] Closely related with resource management is security. Security requirements permeate the solution such that the provider can protect their assets, their ability to provide services, as well as one customer from another customer. Security is based on a risk management model where the law of diminishing returns plays a critical role. The cost of security (capital costs, functional costs, operational costs) must be balanced against the potential risk (liability costs, credibility, etc.). Clearly, failure to address the security requirements of a solution makes the previous points highlighted somewhat pointless. The 10a method provides for strong security, while the 10b method provides weaker security and the 10c method provides even weaker security than the 10b method.

[0022] Conventional mechanisms such as those explained above suffer from a variety of deficiencies. One such deficiency is that the conventional 10a model consumes more resources on the ASBR which limits the scalability of the model. Resources include establishment of routing entries, interfaces, and routing processes. Routing entries and interfaces consume memory while routing processes consume processing resources. In addition, each of the constructs must be manually configured per customer.

...

[0064] One method of controlling the number of prefixes received from the peer ASBR is to bound the memory space allocated to the VPN. This is accomplished in the Inter-AS 10a model by only accepting a certain number of prefixes for the VRF associated with the customer. The identification of customer prefixes is determined by the specific routing adjacency with the peer ASBR (e.g. unique OSPF process or address family for BGP, EIGRP, or RIP). In the 10b model, there is no means of automatically identifying a customer's set of prefixes in the global LFIB. Each VPN prefix is tagged with the BGP next-hop, the Route Distinguisher (RD), and one or more Route Targets (RT). The BGP next-hop is not unique per customer and an administrative domain operator frequently uses multiple RD's for a single MPLS VPN customer. The only element that may uniquely define a customer's set of prefixes is the RT. The approach to bounding the set of VPN prefixes is to allocate memory for the customer's set of prefixes and to populate the memory by matching a subset of the RT values received via the BGP VPNv4 updates. A potential technique for accomplishing this is to partition the LFIB space on a per customer basis. The ASBR will receive VPNv4 prefixes, match those with a specified RT value for a given VPN LFIB memory allocation, and build a VPNv4 label switching entry in the partitioned LFIB. This prevents excessive VPN prefixes received from the peer ASBR from consuming a local ASBR's memory. The memory partition for a single VPN might be exhausted; however, the problem is contained to this individual VPN.

...(略)

Comments

Popular posts from this blog

L2TPv3 Enables Layer 2 Services for IP Networks

TCP/IP 明確擁塞通知 (ECN)

Q-in-Q(Dot1Q Tunnel) Sample Configuration