Network Working Group N. Bitar, Ed.
Request for Comments: 5254 Verizon
Category: Informational M. Bocci, Ed.
Alcatel-Lucent
L. Martini, Ed.
Cisco Systems, Inc.
October 2008
Network Working Group N. Bitar, Ed.
Request for Comments: 5254 Verizon
Category: Informational M. Bocci, Ed.
Alcatel-Lucent
L. Martini, Ed.
Cisco Systems, Inc.
October 2008
Requirements for Multi-Segment Pseudowire Emulation Edge-to-Edge (PWE3)
多段伪线仿真边到边(PWE3)的要求
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Abstract
摘要
This document describes the necessary requirements to allow a service provider to extend the reach of pseudowires across multiple domains. These domains can be autonomous systems under one provider administrative control, IGP areas in one autonomous system, different autonomous systems under the administrative control of two or more service providers, or administratively established pseudowire domains.
本文档描述了允许服务提供商跨多个域扩展伪线覆盖范围的必要要求。这些域可以是一个提供商管理控制下的自治系统、一个自治系统中的IGP区域、两个或多个服务提供商管理控制下的不同自治系统,或者是管理上建立的伪线域。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Scope ......................................................3
1.2. Architecture ...............................................3
2. Terminology .....................................................6
2.1. Specification of Requirements ..............................6
3. Use Cases .......................................................7
3.1. Multi-Segment Pseudowire Setup Mechanisms ..................9
4. Multi-Segment Pseudowire Requirements ..........................10
4.1. All Mechanisms ............................................10
4.1.1. Architecture .......................................10
4.1.2. Resiliency .........................................11
4.1.3. Quality of Service .................................11
4.1.4. Congestion Control .................................12
4.1.5 Generic Requirements for MS-PW Setup Mechanisms ....13
4.1.6. Routing ............................................14
4.2. Statically Configured MS-PWs ..............................15
4.2.1. Architecture .......................................15
4.2.2. MPLS-PWs ...........................................15
4.2.3. Resiliency .........................................15
4.2.4. Quality of Service .................................16
4.3. Signaled PW Segments ......................................16
4.3.1. Architecture .......................................16
4.3.2. Resiliency .........................................16
4.3.3. Quality of Service .................................17
4.3.4. Routing ............................................17
4.3.5. Additional Requirements on Signaled MS-PW Setup
Mechanisms .........................................17
4.4. Signaled PW / Dynamic Route ...............................18
4.4.1. Architecture .......................................18
4.4.2. Resiliency .........................................18
4.4.3. Quality of Service .................................18
4.4.4. Routing ............................................18
5. Operations and Maintenance (OAM) ...............................19
6. Management of Multi-Segment Pseudowires ........................20
6.1. MIB Requirements ..........................................20
6.2. Management Interface Requirements .........................21
7. Security Considerations ........................................21
7.1. Inter-Provider MS-PWs .....................................21
7.1.1. Data-Plane Security Requirements ...................21
7.1.2. Control-Plane Security Requirements ................23
7.2. Intra-Provider MS-PWs .....................................25
8. Acknowledgments ................................................25
9. References .....................................................25
9.1. Normative References ......................................25
9.2. Informative References ....................................25
1. Introduction ....................................................3
1.1. Scope ......................................................3
1.2. Architecture ...............................................3
2. Terminology .....................................................6
2.1. Specification of Requirements ..............................6
3. Use Cases .......................................................7
3.1. Multi-Segment Pseudowire Setup Mechanisms ..................9
4. Multi-Segment Pseudowire Requirements ..........................10
4.1. All Mechanisms ............................................10
4.1.1. Architecture .......................................10
4.1.2. Resiliency .........................................11
4.1.3. Quality of Service .................................11
4.1.4. Congestion Control .................................12
4.1.5 Generic Requirements for MS-PW Setup Mechanisms ....13
4.1.6. Routing ............................................14
4.2. Statically Configured MS-PWs ..............................15
4.2.1. Architecture .......................................15
4.2.2. MPLS-PWs ...........................................15
4.2.3. Resiliency .........................................15
4.2.4. Quality of Service .................................16
4.3. Signaled PW Segments ......................................16
4.3.1. Architecture .......................................16
4.3.2. Resiliency .........................................16
4.3.3. Quality of Service .................................17
4.3.4. Routing ............................................17
4.3.5. Additional Requirements on Signaled MS-PW Setup
Mechanisms .........................................17
4.4. Signaled PW / Dynamic Route ...............................18
4.4.1. Architecture .......................................18
4.4.2. Resiliency .........................................18
4.4.3. Quality of Service .................................18
4.4.4. Routing ............................................18
5. Operations and Maintenance (OAM) ...............................19
6. Management of Multi-Segment Pseudowires ........................20
6.1. MIB Requirements ..........................................20
6.2. Management Interface Requirements .........................21
7. Security Considerations ........................................21
7.1. Inter-Provider MS-PWs .....................................21
7.1.1. Data-Plane Security Requirements ...................21
7.1.2. Control-Plane Security Requirements ................23
7.2. Intra-Provider MS-PWs .....................................25
8. Acknowledgments ................................................25
9. References .....................................................25
9.1. Normative References ......................................25
9.2. Informative References ....................................25
This document specifies requirements for extending pseudowires across more than one packet switched network (PSN) domain and/or more than one PSN tunnel. These pseudowires are called multi-segment pseudowires (MS-PWs). Requirements for single-segment pseudowires (SS-PWs) that extend edge to edge across only one PSN domain are specified in [RFC3916]. This document is not intended to invalidate any part of [RFC3985].
本文件规定了跨多个分组交换网络(PSN)域和/或多个PSN隧道扩展伪线的要求。这些伪线称为多段伪线(MS PWs)。[RFC3916]中规定了仅在一个PSN域上沿边延伸的单段伪导线(SS PW)的要求。本文件无意使[RFC3985]的任何部分无效。
This document specifies additional requirements that apply to MS-PWs. These requirements do not apply to PSNs that only support SS-PWs.
本文件规定了适用于MS PWs的附加要求。这些要求不适用于仅支持SS PWs的PSN。
The following three figures describe the reference models that are derived from [RFC3985] to support PW emulated services.
以下三幅图描述了从[RFC3985]衍生的参考模型,以支持PW模拟服务。
|<-------------- Emulated Service ---------------->|
| |
| |<------- Pseudowire ------->| |
| | | |
| | |<-- PSN Tunnel -->| | |
| PW End V V V V PW End |
V Service +----+ +----+ Service V
+-----+ | | PE1|==================| PE2| | +-----+
| |----------|............PW1.............|----------| |
| CE1 | | | | | | | | CE2 |
| |----------|............PW2.............|----------| |
+-----+ ^ | | |==================| | | ^ +-----+
^ | +----+ +----+ | | ^
| | Provider Edge 1 Provider Edge 2 | |
| | | |
Customer | | Customer
Edge 1 | | Edge 2
| |
| |
Attachment Circuit (AC) Attachment Circuit (AC)
Native service Native service
|<-------------- Emulated Service ---------------->|
| |
| |<------- Pseudowire ------->| |
| | | |
| | |<-- PSN Tunnel -->| | |
| PW End V V V V PW End |
V Service +----+ +----+ Service V
+-----+ | | PE1|==================| PE2| | +-----+
| |----------|............PW1.............|----------| |
| CE1 | | | | | | | | CE2 |
| |----------|............PW2.............|----------| |
+-----+ ^ | | |==================| | | ^ +-----+
^ | +----+ +----+ | | ^
| | Provider Edge 1 Provider Edge 2 | |
| | | |
Customer | | Customer
Edge 1 | | Edge 2
| |
| |
Attachment Circuit (AC) Attachment Circuit (AC)
Native service Native service
Figure 1: PWE3 Reference Configuration
图1:PWE3参考配置
Figure 1 shows the PWE3 reference architecture [RFC3985]. This architecture applies to the case where a PSN tunnel extends between two edges of a single PSN domain to transport a PW with endpoints at these edges.
图1显示了PWE3参考体系结构[RFC3985]。此体系结构适用于PSN隧道在单个PSN域的两个边缘之间延伸以传输端点位于这些边缘的PW的情况。
Native |<--------Multi-Segment Pseudowire----->| Native
Service | PSN PSN | Service
(AC) | |<-Tunnel->| |<-Tunnel->| | (AC)
| V V 1 V V 2 V V |
| +-----+ +-----+ +---- + |
+---+ | |T-PE1|==========|S-PE1|==========|T-PE2| | +---+
| |---------|........PW1.......... |...PW3..........|---|----| |
|CE1| | | | | | | | | |CE2|
| |---------|........PW2...........|...PW4..........|--------| |
+---+ | | |==========| |==========| | | +---+
^ +-----+ +-----+ +-----+ ^
| Provider Edge 1 ^ Provider Edge 3 |
| | |
| | |
| PW switching point |
| |
| |
|<------------------- Emulated Service ------------------->|
Native |<--------Multi-Segment Pseudowire----->| Native
Service | PSN PSN | Service
(AC) | |<-Tunnel->| |<-Tunnel->| | (AC)
| V V 1 V V 2 V V |
| +-----+ +-----+ +---- + |
+---+ | |T-PE1|==========|S-PE1|==========|T-PE2| | +---+
| |---------|........PW1.......... |...PW3..........|---|----| |
|CE1| | | | | | | | | |CE2|
| |---------|........PW2...........|...PW4..........|--------| |
+---+ | | |==========| |==========| | | +---+
^ +-----+ +-----+ +-----+ ^
| Provider Edge 1 ^ Provider Edge 3 |
| | |
| | |
| PW switching point |
| |
| |
|<------------------- Emulated Service ------------------->|
Figure 2: PW Switching Reference Model
图2:PW开关参考模型
Figure 2 extends this architecture to show a multi-segment case. Terminating PE1 (T-PE1) and Terminating PE3 (T-PE3) provide PWE3 service to CE1 and CE2. These PEs terminate different PSN tunnels, PSN Tunnel 1 and PSN Tunnel 2, and may reside in different PSN or pseudowire domains. One PSN tunnel extends from T-PE1 to S-PE1 across PSN1, and a second PSN tunnel extends from S-PE1 to T-PE2 across PSN2.
图2扩展了该体系结构以显示多段情况。端接PE1(T-PE1)和端接PE3(T-PE3)为CE1和CE2提供PWE3服务。这些PE终止于不同的PSN隧道、PSN隧道1和PSN隧道2,并且可以驻留在不同的PSN或伪线域中。一条PSN隧道从T-PE1延伸至穿过PSN1的S-PE1,第二条PSN隧道从S-PE1延伸至穿过PSN2的T-PE2。
PWs are used to connect the Attachment circuits (ACs) attached to T-PE1 to the corresponding ACs attached to T-PE2. Each PW on PSN tunnel 1 is switched to a PW in the tunnel across PSN2 at S-PE1 to complete the multi-segment PW (MS-PW) between T-PE1 and T-PE2. S-PE1 is therefore the PW switching point and will be referred to as the PW switching provider edge (S-PE). PW1 and PW3 are segments of the same MS-PW while PW2 and PW4 are segments of another pseudowire. PW segments of the same MS-PW (e.g., PW1 and PW3) MAY be of the same PW type or different types, and PSN tunnels (e.g., PSN Tunnel 1 and PSN Tunnel 2) can be the same or different technology. This document requires support for MS-PWs with segments of the same PW type only.
PW用于将连接至T-PE1的连接电路(ACs)连接至连接至T-PE2的相应ACs。PSN隧道1上的每个PW切换到S-PE1处穿过PSN2的隧道中的一个PW,以完成T-PE1和T-PE2之间的多段PW(MS-PW)。因此,S-PE1是PW交换点,将被称为PW交换提供商边缘(S-PE)。PW1和PW3是同一MS-PW的段,而PW2和PW4是另一伪线的段。相同MS-PW(例如,PW1和PW3)的PW段可以是相同的PW类型或不同的类型,PSN隧道(例如,PSN隧道1和PSN隧道2)可以是相同或不同的技术。本文件要求仅支持具有相同PW类型段的MS PWs。
An S-PE switches an MS-PW from one segment to another based on the PW identifiers (e.g., PW label in case of MPLS PWs). In Figure 2, the domains that PSN Tunnel 1 and PSN Tunnel 2 traverse could be IGP areas in the same IGP network or simply PWE3 domains in a single flat IGP network, for instance.
S-PE基于PW标识符(例如,MPLS PWs情况下的PW标签)将MS-PW从一个段切换到另一个段。在图2中,例如,PSN隧道1和PSN隧道2穿过的域可以是同一IGP网络中的IGP区域,也可以是单个平面IGP网络中的简单PWE3域。
|<------Multi-Segment Pseudowire------>|
| AS AS |
AC | |<----1---->| |<----2--->| | AC
| V V V V V V |
| +----+ +-----+ +----+ +----+ |
+----+ | | |=====| |=====| |=====| | | +----+
| |-------|.....PW1..........PW2.........PW3.....|-------| |
| CE1| | | | | | | | | | | |CE2 |
+----+ | | |=====| |=====| |=====| | | +----+
^ +----+ +-----+ +----+ +----+ ^
| T-PE1 S-PE2 S-PE3 T-PE4 |
| ^ ^ |
| | | |
| PW switching points |
| |
| |
|<------------------- Emulated Service --------------->|
|<------Multi-Segment Pseudowire------>|
| AS AS |
AC | |<----1---->| |<----2--->| | AC
| V V V V V V |
| +----+ +-----+ +----+ +----+ |
+----+ | | |=====| |=====| |=====| | | +----+
| |-------|.....PW1..........PW2.........PW3.....|-------| |
| CE1| | | | | | | | | | | |CE2 |
+----+ | | |=====| |=====| |=====| | | +----+
^ +----+ +-----+ +----+ +----+ ^
| T-PE1 S-PE2 S-PE3 T-PE4 |
| ^ ^ |
| | | |
| PW switching points |
| |
| |
|<------------------- Emulated Service --------------->|
Figure 3: PW Switching Inter-Provider Reference Model
图3:PW交换跨提供商参考模型
Note that although Figure 2 only shows a single S-PE, a PW may transit more than one S-PEs along its path. For instance, in the multi-AS case shown in Figure 3, there can be an S-PE (S-PE2) at the border of one AS (AS1) and another S-PE (S-PE3) at the border of the other AS (AS2). An MS-PW that extends from the edge of one AS (T-PE1) to the edge of the other AS (T-PE4) is composed of three segments: (1) PW1, a segment in AS1, (2) PW2, a segment between the two border routers (S-PE2 and S-PE3) that are switching PEs, and (3) PWE3, a segment in AS2. AS1 and AS2 could belong to the same provider (e.g., AS1 could be an access network or metro transport network, and AS2 could be an MPLS core network) or to two different providers (e.g., AS1 for Provider 1 and AS2 for Provider 2).
请注意,尽管图2仅显示了一个S-PE,但PW可能会沿着其路径传输多个S-PE。例如,在图3所示的多AS情况下,一个AS(AS1)的边界上可能有一个S-PE(S-PE2),另一个AS(AS2)的边界上可能有另一个S-PE(S-PE3)。从一个AS(T-PE1)的边缘延伸到另一个AS(T-PE4)的边缘的MS-PW由三段组成:(1)PW1,AS1中的一段,(2)PW2,交换PE的两个边界路由器(S-PE2和S-PE3)之间的一段,以及(3)PWE3,AS2中的一段。AS1和AS2可以属于同一个提供商(例如,AS1可以是接入网络或城域传输网络,AS2可以是MPLS核心网络)或两个不同的提供商(例如,AS1代表提供商1,AS2代表提供商2)。
RFC 3985 [RFC3985] provides terminology for PWE3. The following additional terminology is defined for multi-segment pseudowires:
RFC 3985[RFC3985]提供了PWE3的术语。为多段伪导线定义了以下附加术语:
- PW Terminating Provider Edge (T-PE). A PE where the customer-facing attachment circuits (ACs) are bound to a PW forwarder. A Terminating PE is present in the first and last segments of an MS-PW. This incorporates the functionality of a PE as defined in RFC 3985.
- PW端接提供程序边缘(T-PE)。一种PE,其中面向客户的连接电路(ACs)绑定到PW转发器。终端PE出现在MS-PW的第一段和最后一段中。这包括RFC 3985中定义的PE功能。
- Single-Segment Pseudowire (SS-PW). A PW setup directly between two PE devices. Each direction of an SS-PW traverses one PSN tunnel that connects the two PEs.
- 单段伪导线(SS-PW)。直接在两个PE设备之间的PW设置。SS-PW的每个方向穿过一个连接两个PEs的PSN隧道。
- Multi-Segment Pseudowire (MS-PW). A static or dynamically configured set of two or more contiguous PW segments that behave and function as a single point-to-point PW. Each end of an MS-PW by definition MUST terminate on a T-PE.
- 多段伪导线(MS-PW)。由两个或多个连续PW段组成的静态或动态配置集,其行为和功能类似于单个点对点PW。根据定义,MS-PW的每一端必须在T-PE上终止。
- PW Segment. A single-segment or a part of a multi-segment PW, which is set up between two PE devices, T-PEs and/or S-PEs.
- PW段。单段或多段PW的一部分,设置在两个PE设备(T-PEs和/或S-PEs)之间。
- PW Switching Provider Edge (S-PE). A PE capable of switching the control and data planes of the preceding and succeeding PW segments in an MS-PW. The S-PE terminates the PSN tunnels transporting the preceding and succeeding segments of the MS-PW. It is therefore a PW switching point for an MS-PW. A PW switching point is never the S-PE and the T-PE for the same MS-PW. A PW switching point runs necessary protocols to set up and manage PW segments with other PW switching points and terminating PEs.
- PW交换提供程序边缘(S-PE)。一种能够在MS-PW中切换前一个PW段和后一个PW段的控制平面和数据平面的PE。S-PE终止传输MS-PW之前和后续段的PSN隧道。因此,它是MS-PW的PW开关点。PW切换点绝不是同一MS-PW的S-PE和T-PE。PW交换点运行必要的协议,以设置和管理与其他PW交换点和终端PE的PW段。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
PWE3 defines the signaling and encapsulation techniques for establishing SS-PWs between a pair of terminating PEs (T-PEs), and in the vast majority of cases, this will be sufficient. MS-PWs may be useful in the following situations:
PWE3定义了在一对终端PE(T-PE)之间建立SS PW的信令和封装技术,在绝大多数情况下,这就足够了。MS PWs在以下情况下可能有用:
-i. Inter-Provider PWs: An Inter-Provider PW is a PW that extends from a T-PE in one provider domain to a T-PE in another provider domain.
-一,。提供商间PWs:提供商间PW是从一个提供商域中的T-PE扩展到另一个提供商域中的T-PE的PW。
-ii. It may not be possible, desirable, or feasible to establish a direct PW control channel between the T-PEs, residing in different provider networks, to set up and maintain PWs. At a minimum, a direct PW control channel establishment (e.g., targeted LDP session) requires knowledge of and reachability to the remote T-PE IP address. The local T-PE may not have access to this information due to operational or security constraints. Moreover, an SS-PW would require the existence of a PSN tunnel between the local T-PE and the remote T-PE. It may not be feasible or desirable to extend single, contiguous PSN tunnels between T-PEs in one domain and T-PEs in another domain for security and/or scalability reasons or because the two domains may be using different PSN technologies.
-二,。在驻留在不同提供商网络中的T-PE之间建立直接PW控制信道以建立和维护PWs可能是不可能、不可取或不可行的。至少,直接PW控制信道建立(例如,目标LDP会话)需要了解远程T-PE IP地址并可访问该地址。由于操作或安全限制,本地T-PE可能无法访问此信息。此外,SS-PW需要在本地T-PE和远程T-PE之间存在PSN隧道。出于安全性和/或可伸缩性原因,或者由于两个域可能使用不同的PSN技术,在一个域中的T-PE和另一个域中的T-PE之间扩展单个连续的PSN隧道可能不可行或不可取。
-iii. MS-PW setup, maintenance, and forwarding procedures must satisfy requirements placed by the constraints of a multi-provider environment. An example is the inter-AS L2VPN scenario where the T-PEs reside in different provider networks (ASs) and it is the current practice to MD5-key all control traffic exchanged between two networks. An MS-PW allows the providers to confine MD5 key administration for the LDP session to just the PW switching points connecting the two domains.
-iii.MS-PW设置、维护和转发程序必须满足多提供商环境约束的要求。例如,inter AS L2VPN场景中,T-PE驻留在不同的提供商网络(ASs)中,目前的做法是对两个网络之间交换的所有控制流量进行MD5键控。MS-PW允许提供者将LDP会话的MD5密钥管理仅限于连接两个域的PW交换点。
-iv. PSN Interworking: PWE3 signaling protocols and PSN types may differ in different provider networks. The terminating PEs may be connected to networks employing different PW signaling and/or PSN protocols. In this case, it is not possible to use an SS-PW. An MS-PW with the appropriate interworking performed at the PW switching points can enable PW connectivity between the terminating PEs in this scenario.
-iv.PSN互通:PWE3信令协议和PSN类型在不同的提供商网络中可能不同。终端PEs可以连接到采用不同PW信令和/或PSN协议的网络。在这种情况下,不可能使用SS-PW。在这种情况下,在PW交换点执行适当互通的MS-PW可以实现终端PE之间的PW连接。
-v. Traffic Engineered PSN Tunnels and bandwidth-managed PWs: There is a requirement to deploy PWs edge to edge in large service provider networks. Such networks typically encompass hundreds or thousands of aggregation devices at the edge, each of which would be a PE. Furthermore, there is a requirement that these PWs have explicit bandwidth guarantees. To satisfy these requirements, the PWs will be tunneled over PSN TE-tunnels with bandwidth constraints. A single-segment pseudowire architecture would require that a full mesh of PSN TE-tunnels be provisioned to allow PWs to be established between all PEs. Inter-provider PWs riding traffic engineered tunnels further add to the number of tunnels that would have to be supported by the PEs and the core network as the total number of PEs increases.
-五,。流量工程PSN隧道和带宽管理PWs:需要在大型服务提供商网络中部署PWs边到边。这种网络通常在边缘包含数百或数千个聚合设备,每个设备都是PE。此外,要求这些PW具有明确的带宽保证。为满足这些要求,PWs将在带宽受限的PSN TE隧道上进行隧道敷设。单段伪线体系结构要求提供PSN TE隧道的完整网格,以允许在所有PE之间建立PWs。随着PEs总数的增加,供应商间PWs乘坐交通工程隧道进一步增加了PEs和核心网络必须支持的隧道数量。
In this environment, there is a requirement either to support a sparse mesh of PSN TE-tunnels and PW signaling adjacencies, or to partition the network into a number of smaller PWE3 domains. In either case, a PW would have to pass through more than one PSN tunnel hop along its path. An objective is to reduce the number of tunnels that must be supported, and thus the complexity and scalability problem that may arise.
在这种环境中,需要支持PSN TE隧道和PW信令邻接的稀疏网格,或者将网络划分为若干较小的PWE3域。在任何一种情况下,PW都必须沿其路径通过多个PSN隧道跃点。目标是减少必须支持的隧道数量,从而减少可能出现的复杂性和可扩展性问题。
-vi. Pseudowires in access/metro networks: Service providers wish to extend PW technology to access and metro networks in order to reduce maintenance complexity and operational costs. Today's access and metro networks are either legacy (Time Division Multiplexed (TDM), Synchronous Optical Network/Synchronous Digital Hierarchy (SONET/SDH), or Frame Relay/Asynchronous Transfer Mode (ATM)), Ethernet, or IP based.
-vi.接入/城域网络中的伪线:服务提供商希望将PW技术扩展到接入和城域网络,以降低维护复杂性和运营成本。今天的接入网和城域网要么是传统的(时分多路复用(TDM)、同步光网络/同步数字体系(SONET/SDH),要么是帧中继/异步传输模式(ATM))、以太网,要么是基于IP的。
Due to these architectures, circuits (e.g., Ethernet Virtual Circuits (EVCs), ATM VCs, TDM circuits) in the access/metro are traditionally handled as attachment circuits, in their native format, to the edge of the IP-MPLS network where the PW starts. This combination requires multiple separate access networks and complicates end-to-end control, provisioning, and maintenance. In addition, when a TDM or SONET/SDH access network is replaced with a packet-based infrastructure, expenses may be lowered due to moving statistical multiplexing closer to the end-user and converging multiple services onto a single access network.
由于这些架构,接入/城域网中的电路(例如以太网虚拟电路(EVC)、ATM VCs、TDM电路)传统上作为连接电路处理,以其本机格式连接到PW启动的IP-MPLS网络边缘。这种组合需要多个独立的接入网络,并使端到端控制、资源调配和维护变得复杂。此外,当TDM或SONET/SDH接入网络被基于分组的基础设施取代时,由于将统计复用移到更接近最终用户的位置并将多个服务汇聚到单个接入网络上,费用可能会降低。
Access networks have a number of properties that impact the application of PWs. For example, there exist access mechanisms where the PSN is not of an IETF specified type, but uses mechanisms compatible with those of PWE3 at the PW layer.
接入网络具有许多影响PWs应用的特性。例如,存在访问机制,其中PSN不是IETF指定的类型,而是在PW层使用与PWE3兼容的机制。
Here, use case (iv) may apply. In addition, many networks consist of hundreds or thousands of access devices. There is therefore a desire to support a sparse mesh of PW signaling adjacencies and PSN tunnels. Use case (v) may therefore apply. Finally, access networks also tend to differ from core networks in that the access PW setup and maintenance mechanism may only be a subset of that used in the core.
这里,用例(iv)可能适用。此外,许多网络由数百或数千个接入设备组成。因此,希望支持PW信令邻接和PSN隧道的稀疏网格。因此,用例(v)可能适用。最后,接入网络也往往不同于核心网络,因为接入PW设置和维护机制可能只是核心网络中使用的机制的子集。
Using the MS-PWs, access and metro network elements need only maintain PW signaling adjacencies with the PEs to which they directly connect. They do not need PW signaling adjacencies with every other access and metro network device. PEs in the PSN backbone, in turn, maintain PW signaling adjacencies among each other. In addition, a PSN tunnel is set up between an access element and the PE to which it connects. Another PSN tunnel needs to be established between every PE pair in the PSN backbone. An MS-PW may be set up from one access network element to another access element with three segments: (1) access-element - PSN-PE, (2) PSN-PE to PSN-PE, and (3) PSN-PE to access element. In this MS-PW setup, access elements are T-PEs while PSN-PEs are S-PEs. It should be noted that the PSN backbone can be also segmented into PWE3 domains resulting in more segments per PW.
使用MS PWs,接入和城域网络元件只需与它们直接连接的PEs保持PW信令邻接。它们不需要与其他每个接入和城域网络设备相邻的PW信令。PSN主干中的PEs依次保持彼此之间的PW信令邻接。此外,在接入元件与其连接的PE之间建立PSN隧道。需要在PSN主干中的每个PE对之间建立另一个PSN隧道。MS-PW可设置为从一个接入网元到另一个接入网元,具有三个段:(1)接入网元-PSN-PE,(2)PSN-PE到PSN-PE,以及(3)PSN-PE到接入网元。在此MS-PW设置中,接入元件为T-PEs,而PSN-PEs为S-PEs。应该注意的是,PSN主干也可以分割成PWE3域,从而每个PW有更多的段。
This requirements document assumes that the above use cases are realized using one or more of the following mechanisms:
本需求文件假设使用以下一种或多种机制实现上述用例:
-i. Static Configuration: The switching points (S-PEs), in addition to the T-PEs, are manually provisioned for each segment.
-一,。静态配置:除T-PEs外,还为每个段手动配置开关点(S-PEs)。
-ii. Pre-Determined Route: The PW is established along an administratively determined route using an end-to-end signaling protocol with automated stitching at the S-PEs.
-二,。预先确定的路由:使用端到端信令协议沿管理确定的路由建立PW,并在S-PEs处自动缝合。
-iii. Signaled Dynamic Route: The PW is established along a dynamically determined route using an end-to-end signaling protocol with automated stitching at the S-PEs. The route is selected with the aid of one or more dynamic routing protocols.
-iii.信号动态路由:PW沿动态确定的路由建立,使用端到端信令协议,在S-PEs处自动缝合。通过一个或多个动态路由协议选择路由。
Note that we define the PW route to be the set of S-PEs through which an MS-PW will pass between a given pair of T-PEs. PSN tunnels along that route can be explicitly specified or locally selected at the S-PEs and T-PEs. The routing of the PSN tunnels themselves is outside the scope of the requirements specified in this document.
注意,我们将PW路由定义为一组S-PE,MS-PW将通过这些S-PE在给定的一对T-PE之间通过。沿该路线的PSN隧道可在S-PEs和T-PEs明确指定或本地选择。PSN隧道本身的路由不在本文件规定的要求范围内。
The following sections detail the requirements that the above use cases put on the MS-PW setup mechanisms.
以下各节详细说明了上述用例对MS-PW设置机制的要求。
The following generic requirements apply to the three MS-PW setup mechanisms defined in the previous section.
以下一般要求适用于前一节中定义的三种MS-PW设置机制。
-i. If MS-PWs are tunneled across a PSN that only supports SS-PWs, then only the requirements of [RFC3916] apply to that PSN. The fact that the overlay is carrying MS-PWs MUST be transparent to the routers in the PSN.
-一,。如果MS PW通过仅支持SS PWs的PSN进行隧道传输,则只有[RFC3916]的要求适用于该PSN。覆盖层承载MS PWs的事实必须对PSN中的路由器透明。
-ii. The PWs MUST remain transparent to the P-routers. A P-router is not an S-PE or an T-PE from the MS-PW architecture viewpoint. P-routers provide transparent PSN transport for PWs and MUST not have any knowledge of the PWs traversing them.
-二,。PWs必须对P路由器保持透明。从MS-PW体系结构的观点来看,P路由器不是S-PE或T-PE。P-路由器为PWs提供透明的PSN传输,并且不得知道PWs正在穿越它们。
-iii. The MS-PWs MUST use the same encapsulation modes specified for SS-PWs.
-iii.MS PWs必须使用与SS PWs相同的封装模式。
-iv. The MS-PWs MUST be composed of SS-PWs.
-iv.MS PWs必须由SS PWs组成。
-v. An MS-PW MUST be able to pass across PSNs of all technologies supported by PWE3 for SS-PWs. When crossing from one PSN technology to another, an S-PE must provide the necessary PSN interworking functions in that case.
-五,。MS-PW必须能够通过PWE3为SS PWs支持的所有技术的PSN。当从一种PSN技术过渡到另一种PSN技术时,S-PE必须在这种情况下提供必要的PSN互通功能。
-vi. Both directions of a PW segment MUST terminate on the same S-PE/T-PE.
-vi.PW段的两个方向必须在相同的S-PE/T-PE上终止。
-vii. S-PEs MAY only support switching PWs of the same PW type. In this case, the PW type is transparent to the S-PE in the forwarding plane, except for functions needed to provide for interworking between different PSN technologies.
-七,。S-PEs可能仅支持相同PW类型的开关PW。在这种情况下,除了提供不同PSN技术之间的互通所需的功能外,PW类型对转发平面中的S-PE是透明的。
-viii. Solutions MAY provide a way to prioritize the setup and maintenance process among PWs.
-八,。解决方案可提供一种在PW之间对设置和维护过程进行优先排序的方法。
Mechanisms to protect an MS-PW when an element on the existing path of an MS-PW fails MUST be provided. These mechanisms will depend on the MS-PW setup. The following are the generic resiliency requirements that apply to all MS-PW setup mechanisms:
必须提供当MS-PW现有路径上的元件发生故障时保护MS-PW的机制。这些机制将取决于MS-PW设置。以下是适用于所有MS-PW设置机制的通用弹性要求:
-i. Configuration and establishment of a backup PW to a primary PW SHOULD be supported. Mechanisms to perform a switchover from a primary PW to a backup PW upon failure detection SHOULD be provided.
-一,。应支持主PW的备份PW的配置和建立。应提供故障检测时从主PW切换到备用PW的机制。
-ii. The ability to configure an end-to-end backup PW path for a primary PW path SHOULD be supported. The primary and backup paths may be statically configured, statically specified for signaling, or dynamically selected via dynamic routing depending on the MS-PW establishment mechanism. Backup and primary paths should have the ability to traverse separate S-PEs. The backup path MAY be signaled at configuration time or after failure.
-二,。应支持为主PW路径配置端到端备份PW路径的能力。根据MS-PW建立机制,主路径和备份路径可以静态配置、静态指定用于信令,或者通过动态路由动态选择。备份路径和主路径应能够遍历单独的S-PE。备份路径可在配置时或故障后发出信号。
-iii. The ability to configure a primary PW and a backup PW with a different T-PE from the primary SHOULD be supported.
-iii.应支持使用与主PW不同的T-PE配置主PW和备用PW的能力。
-iv. Automatic Mechanisms to perform a fast switchover from a primary PW to a backup PW upon failure detection SHOULD be provided.
-iv.应提供自动机制,以便在故障检测时从主PW快速切换到备用PW。
-v. A mechanism to automatically revert to a primary PW from a backup PW MAY be provided. When provided, it MUST be configurable.
-五,。可以提供从备份PW自动恢复到主PW的机制。提供时,它必须是可配置的。
Pseudowires are intended to support emulated services (e.g., TDM and ATM) that may have strict per-connection quality-of-service (QoS) requirements. This may include either absolute or relative guarantees on packet loss, delay, and jitter. These guarantees are, in part, delivered by reserving sufficient network resources (e.g., bandwidth), and by providing appropriate per-packet treatment (e.g., scheduling priority and drop precedence) throughout the network.
伪线用于支持可能具有严格的每连接服务质量(QoS)要求的模拟服务(如TDM和ATM)。这可能包括对数据包丢失、延迟和抖动的绝对或相对保证。这些保证部分是通过保留足够的网络资源(例如,带宽)和通过在整个网络中提供适当的每包处理(例如,调度优先级和丢弃优先级)来实现的。
For SS-PWs, a traffic engineered PSN tunnel (i.e., MPLS-TE) may be used to ensure that sufficient resources are reserved in the P-routers to provide QoS to PWs on the tunnel. In this case, T-PEs MUST have the ability to automatically request the PSN tunnel resources in the direction of traffic (e.g., admission control of PWs onto the PSN tunnel and accounting for reserved bandwidth and
对于SS-PWs,可使用流量工程PSN隧道(即MPLS-TE)来确保在P路由器中保留足够的资源,以向隧道上的PWs提供QoS。在这种情况下,T-PEs必须能够在流量方向上自动请求PSN隧道资源(例如,PWs进入PSN隧道的准入控制,并考虑保留带宽和
available bandwidth on the tunnel). In cases where the tunnel supports multiple classes of service (CoS) (e.g., E-LSP), bandwidth management is required per CoS.
隧道上的可用带宽)。在隧道支持多类服务(CoS)(例如e-LSP)的情况下,每个CoS都需要带宽管理。
For MS-PWs, each S-PE maps a PW segment to a PSN tunnel. Solutions MUST enable S-PEs and T-PEs to automatically bind a PW segment to a PSN tunnel based on CoS and bandwidth requirements when these attributes are specified for a PW. Solutions SHOULD also provide the capability of binding a PW segment to a tunnel as a matter of policy configuration. S-PEs and T-PEs must be capable of automatically requesting PSN tunnel resources per CoS.
对于MS PWs,每个S-PE将PW段映射到PSN隧道。当为PW指定这些属性时,解决方案必须使S-PEs和T-PEs能够根据CoS和带宽要求自动将PW段绑定到PSN隧道。解决方案还应提供将PW段绑定到隧道的能力,作为策略配置。S-PEs和T-PEs必须能够自动请求每个CoS的PSN隧道资源。
S-PEs and T-PEs MUST be able to associate a CoS marking (e.g., EXP field value for MPLS PWs) with PW PDUs. CoS marking in the PW PDUs affects packet treatment. The CoS marking depends on the PSN technology. Thus, solutions must enable the configuration of necessary mapping for CoS marking when the MS-PW crosses from one PSN technology to another. Similarly, different administrative domains may use different CoS values to imply the same CoS treatment. Solutions MUST provide the ability to define CoS marking maps on S-PEs at administrative domain boundaries to translate from one CoS value to another as a PW PDU crosses from one domain to the next.
S-PEs和T-PEs必须能够将CoS标记(例如,MPLS PWs的EXP字段值)与PW PDU相关联。PW PDU中的CoS标记会影响数据包处理。CoS标记取决于PSN技术。因此,当MS-PW从一种PSN技术过渡到另一种PSN技术时,解决方案必须能够为CoS标记配置必要的映射。类似地,不同的管理域可能使用不同的CoS值来暗示相同的CoS处理。解决方案必须能够在管理域边界的S-PE上定义CoS标记映射,以便在PW PDU从一个域跨越到下一个域时从一个CoS值转换到另一个CoS值。
[RFC3985] requires PWs to respond to path congestion by reducing their transmission rate. Alternatively, RFC 3985 permits PWs that do not have a congestion control mechanism to transmit using explicitly reserved capacity along a provisioned path. Because MS-PWs are a type of PW, this requirement extends to them as well. RFC 3985 applied to MS-PWs consequently requires that MS-PWs employ a congestion control mechanism that is effective across an MS path, or requires an explicit provisioning action that reserves sufficient capacity in all domains along the MS path before the MS-PW begins transmission. S-PEs are therefore REQUIRED to reject attempts to establish MS-PW segments for PW types that either do not utilize an appropriate congestion control scheme or when resources that are sufficient to support the transmission rate of the PW cannot be reserved along the path.
[RFC3985]要求PWs通过降低传输速率来应对路径拥塞。或者,RFC 3985允许没有拥塞控制机制的PW使用显式保留的容量沿着配置的路径进行传输。由于MS PW是PW的一种类型,因此该要求也适用于它们。因此,应用于MS PWs的RFC 3985要求MS PWs采用在MS路径上有效的拥塞控制机制,或者要求在MS-PW开始传输之前在MS路径上的所有域中保留足够容量的显式供应操作。因此,S-PEs需要拒绝为未使用适当拥塞控制方案的PW类型建立MS-PW段的尝试,或者当无法沿路径保留足以支持PW传输速率的资源时。
[RFC3985] requires all PWs to respond to congestion, in order to conform to [RFC2914]. In the absence of a well-defined congestion control mechanism, [RFC3985] permits PWs to be carried across paths that have been provisioned such that the traffic caused by PWs has no harmful effect on concurrent traffic that shares the path, even under congestion. These requirements extend to the MS-PWs defined in this document.
[RFC3985]要求所有PWs对拥塞做出响应,以符合[RFC2914]。在缺乏明确定义的拥塞控制机制的情况下,[RFC3985]允许PWs在已设置的路径上传输,以便PWs引起的流量即使在拥塞情况下也不会对共享该路径的并发流量产生有害影响。这些要求延伸至本文件中定义的MS PWs。
Path provisioning is frequently performed through QoS reservation protocols or network management protocols. In the case of SS-PWs, which remain within a single administrative domain, a number of existing protocols can provide this provisioning functionality. MS-PWs, however, may transmit across network domains that are under the control of multiple entities. QoS provisioning across such paths is inherently more difficult, due to the required inter-domain interactions. It is important to note that these difficulties do not invalidate the requirement to provision path capacity for MS-PW use. Each domain MUST individually implement a method to control congestion. This can be by QoS reservation, or other congestion control method. MS-PWs MUST NOT transmit across unprovisioned, best effort, paths in the absence of other congestion control schemes, as required by [RFC3985].
路径供应通常通过QoS保留协议或网络管理协议执行。在SS PWs的情况下,它保留在一个管理域中,许多现有协议可以提供此配置功能。然而,MS PWs可以跨多个实体控制的网络域进行传输。由于所需的域间交互,跨此类路径的QoS提供本质上更为困难。需要注意的是,这些困难不会使为MS-PW使用提供路径容量的要求无效。每个域必须单独实现一种方法来控制拥塞。这可以通过QoS预留或其他拥塞控制方法实现。根据[RFC3985]的要求,在没有其他拥塞控制方案的情况下,MS PWs不得在未设定的、尽力而为的路径上传输。
Solutions MUST enable S-PEs and T-PEs on the path of an MS-PW to notify other S-PEs and T-PEs on that path of congestion, when it occurs. Congestion may be indicated by queue length, packet loss rate, or bandwidth measurement (among others) crossing a respective threshold. The action taken by a T-PE that receives a notification of congestion along the path of one of its PWs could be to re-route the MS-PW to an alternative path, including an alternative T-PE if available. If a PE, or an S-PE has knowledge that a particular link or tunnel is experiencing congestion, it MUST not set up any new MS-PW that utilize that link or tunnel. Some PW types, such as TDM PWs, are more sensitive to congestion than others. The reaction to a congestion notification MAY vary per PW type.
解决方案必须允许MS-PW路径上的S-PE和T-PE在发生拥塞时通知该路径上的其他S-PE和T-PE。拥塞可以通过队列长度、分组丢失率或带宽测量(除其他外)超过相应阈值来指示。接收到沿着其一个PW路径的拥塞通知的T-PE所采取的行动可以是将MS-PW重新路由到替代路径,包括替代T-PE(如果可用)。如果PE或S-PE知道特定链路或隧道正在发生拥塞,则不得设置任何利用该链路或隧道的新MS-PW。一些PW类型,例如TDM PW,比其他类型对拥塞更敏感。对拥塞通知的反应可能因PW类型而异。
The MS-PW setup mechanisms MUST accommodate the service provider's practices, especially in relation to security, confidentiality of SP information, and traffic engineering. Security and confidentiality are especially important when the MS-PWs are set up across autonomous systems in different administrative domains. The following are generic requirements that apply to the three MS-PW setup mechanisms defined earlier:
MS-PW设置机制必须适应服务提供商的实践,特别是在安全性、SP信息保密性和流量工程方面。当MS PWs跨不同管理域中的自治系统设置时,安全性和保密性尤其重要。以下是适用于前面定义的三种MS-PW设置机制的一般要求:
-i. The ability to statically select S-PEs and PSN tunnels on a PW path MUST be provided. Static selection of S-PEs is by definition a requirement for the static configuration and signaled/static route setup mechanisms. This requirement satisfies the need for forcing an MS-PW to traverse specific S-PEs to enforce service provider security and administrative policies.
-一,。必须提供在PW路径上静态选择S-PEs和PSN隧道的能力。根据定义,S-PEs的静态选择是静态配置和信号/静态路由设置机制的要求。此要求满足强制MS-PW遍历特定S-PE以强制实施服务提供商安全和管理策略的需要。
-ii. Solutions SHOULD minimize the amount of configuration needed to set up an MS-PW.
-二,。解决方案应尽量减少设置MS-PW所需的配置量。
-iii. Solutions should support different PW setup mechanisms on the same T-PE, S-PE, and PSN network.
-iii.解决方案应在同一T-PE、S-PE和PSN网络上支持不同的PW设置机制。
-iv. Solutions MUST allow T-PEs to simultaneously support use of SS-PW signaling mechanisms as specified in [RFC4447], as well as MS-PW signaling mechanisms.
-iv.解决方案必须允许T-PEs同时支持使用[RFC4447]中规定的SS-PW信号机制以及MS-PW信号机制。
-v. Solutions MUST ensure that an MS-PW will be set up when a path that satisfies the PW constraints for bandwidth, CoS, and other possible attributes does exist in the network.
-五,。解决方案必须确保当网络中确实存在满足带宽、CoS和其他可能属性的PW约束的路径时,将设置MS-PW。
-vi. Solutions must clearly define the setup procedures for each mechanism so that an MS-PW setup on T-PEs can be interpreted as successful only when all PW segments are successfully set up.
-vi.解决方案必须明确定义每个机构的设置程序,以便只有在成功设置所有PW段时,T-PEs上的MS-PW设置才能解释为成功。
-vii. Admission control to the PSN tunnel needs to be performed against available resources, when applicable. This process MUST be performed at each PW segment comprising the MS-PW. PW admission control into a PSN tunnel MUST be configurable.
-七,。在适用的情况下,需要根据可用资源对PSN隧道进行准入控制。该过程必须在构成MS-PW的每个PW段执行。进入PSN隧道的PW准入控制必须是可配置的。
-viii. In case the PSN tunnel lacks the resources necessary to accommodate the new PW, an attempt to signal a new PSN tunnel, or increase the capacity of the existing PSN tunnel MAY be made. If the expanded PSN tunnel fails to set up, the PW MUST fail to set up.
-八,。如果PSN隧道缺乏容纳新PW所需的资源,可尝试发出新PSN隧道的信号,或增加现有PSN隧道的容量。如果扩展的PSN隧道无法设置,PW必须无法设置。
-ix. The setup mechanisms must allow the setup of a PW segment between two directly connected S-PEs without the existence of a PSN tunnel. This requirement allows a PW segment to be set up between two (Autonomous System Border Routers (ASBRs) when the MS-PW crosses AS boundaries without the need for configuring and setting up a PSN tunnel. In this case, admission control must be done, when enabled, on the link between the S-PEs.
-ix.设置机制必须允许在不存在PSN隧道的情况下,在两个直接连接的S-PE之间设置PW段。当MS-PW跨越AS边界时,此要求允许在两个(自主系统边界路由器(ASBR)之间设置PW段,而无需配置和设置PSN隧道。在这种情况下,启用后,必须在S-PE之间的链路上进行准入控制。
An objective of MS-PWs is to provide support for the following connectivity:
MS PWs的目标是为以下连接提供支持:
-i. MS-PWs MUST be able to traverse multiple service provider administrative domains.
-一,。MS PWs必须能够遍历多个服务提供商管理域。
-ii. MS-PWs MUST be able to traverse multiple autonomous systems within the same administrative domain.
-二,。MS PWs必须能够在同一管理域内遍历多个自治系统。
-iii. MS-PWs MUST be able to traverse multiple autonomous systems belonging to different administrative domains.
-iii.MS PWs必须能够遍历属于不同管理域的多个自治系统。
-iv. MS-PWs MUST be able to support any hybrid combination of the aforementioned connectivity scenarios, including both PW transit and termination in a domain.
-iv.MS PWs必须能够支持上述连接场景的任何混合组合,包括域中的PW传输和终止。
When the MS-PW segments are statically configured, the following requirements apply in addition to the generic requirements previously defined.
当MS-PW段静态配置时,除先前定义的一般要求外,以下要求适用。
There are no additional requirements on the architecture.
架构上没有其他要求。
Solutions should allow for the static configuration of MPLS labels for MPLS-PW segments and the cross-connection of these labels to preceding and succeeding segments. This is especially useful when an MS-PW crosses provider boundaries and two providers do not want to run any PW signaling protocol between them. A T-PE or S-PE that allows the configuration of static labels for MS-PW segments should also simultaneously allow for dynamic label assignments for other MS-PW segments. It should be noted that when two interconnected S-PEs do not have signaling peering for the purpose of setting up MS-PW segments, they should have in-band PW Operations and Maintenance (OAM) capabilities that relay PW or attachment circuit defect notifications between the adjacent S-PEs.
解决方案应允许MPLS-PW段的MPLS标签的静态配置,以及这些标签与前面和后面的段的交叉连接。当MS-PW跨越提供商边界且两个提供商不希望在它们之间运行任何PW信令协议时,这尤其有用。允许为MS-PW段配置静态标签的T-PE或S-PE也应同时允许为其他MS-PW段分配动态标签。应注意的是,当两个互连的S-PE没有用于设置MS-PW段的信令对等时,它们应具有带内PW操作和维护(OAM)能力,在相邻S-PE之间中继PW或连接电路缺陷通知。
The solution should allow for the protection of a PW segment, a contiguous set of PW segments, as well as the end-to-end path. The primary and protection segments must share the same segment endpoints. Solutions should allow for having the backup paths set up prior to the failure or as a result of failure. The choice should be made by configuration. When resources are limited and cannot satisfy all PWs, the PWs with the higher setup priorities should be given preference when compared with the setup priorities of other PWs being set up or the holding priorities of existing PWs.
该解决方案应考虑保护一个PW段、一组连续的PW段以及端到端路径。主段和保护段必须共享相同的段端点。解决方案应允许在故障之前或由于故障而设置备份路径。应根据配置进行选择。当资源有限且无法满足所有PW时,与正在设置的其他PW的设置优先级或现有PW的持有优先级相比,应优先考虑设置优先级较高的PW。
Solutions should strive to minimize traffic loss between T-PEs.
解决方案应尽量减少T-PE之间的流量损失。
The CoS and bandwidth of the MS-PW must be configurable at T-PEs and S-PEs.
MS-PW的CoS和带宽必须在T-PEs和S-PEs处可配置。
When the MS-PW segments are dynamically signaled, the following requirements apply in addition to the generic requirements previously defined. The signaled MS-PW segments can be on the path of a statically configured MS-PW, signaled/statically routed MS-PW, or signaled/dynamically routed MS-PW.
当MS-PW段动态发出信号时,除先前定义的一般要求外,以下要求适用。发信号的MS-PW段可以位于静态配置的MS-PW、发信号的/静态路由的MS-PW或发信号的/动态路由的MS-PW的路径上。
There are four different mechanisms that are defined to setup SS-PWs:
有四种不同的机制用于设置SS PWs:
-i. Static set up of the SS-PW (MPLS or L2TPv3 forwarding)
-一,。SS-PW的静态设置(MPLS或L2TPv3转发)
-ii. LDP using PWid Forwarding Equivalence Class (FEC) 128
-二,。使用PWid转发等价类(FEC)的LDP 128
-iii. LDP using the generalized PW FEC 129
-iii.使用通用PW FEC 129的LDP
-iv. L2TPv3
-四、L2TPv3
The MS-PW setup mechanism MUST be able to support PW segments signaled with any of the above protocols; however, the specification of which combinations of SS-PW signaling protocols are supported by a specific implementation is outside the scope of this document.
MS-PW设置机制必须能够支持通过上述任何协议发出信号的PW段;然而,特定实现支持哪些SS-PW信令协议组合的规范不在本文件的范围内。
For the signaled/statically routed and signaled/dynamically routed MS-PW setup mechanisms, the following requirements apply in addition to the generic requirements previously defined.
对于信号/静态路由和信号/动态路由MS-PW设置机制,除先前定义的一般要求外,以下要求适用。
There are no additional requirements on the architecture.
架构上没有其他要求。
Solutions should allow for the signaling of a protection path for a PW segment, sequence of segments, or end-to-end path. The protection and primary paths for the protected segment(s) share the same respective segments endpoints. When admission control is enabled, systems must be careful not to double account for bandwidth allocation at merged points (e.g., tunnels). Solutions should allow for having the backup paths set up prior to the failure or as a result of failure. The choice should be made by configuration at the endpoints of the protected path. When resources are limited and cannot satisfy all PWs, the PWs with the higher setup priorities
解决方案应考虑PW段、段序列或端到端路径的保护路径的信令。受保护段的保护路径和主路径共享相同的各自段端点。启用准入控制时,系统必须小心,不要在合并点(如隧道)重复考虑带宽分配。解决方案应允许在故障之前或由于故障而设置备份路径。应通过在受保护路径的端点处进行配置来进行选择。当资源有限且无法满足所有PWs时,PWs具有更高的设置优先级
should be given preference when compared with the setup priorities of other PWs being set up or the holding priorities of existing PWs. Procedures must allow for the primary and backup paths to be diverse.
与正在建立的其他PW的设置优先级或现有PW的持有优先级相比,应优先考虑。过程必须考虑到主路径和备份路径的多样性。
When the T-PE attempts to signal an MS-PW, the following capability is required:
当T-PE试图发出MS-PW信号时,需要以下能力:
-i. Signaling must be able to identify the CoS associated with an MS-PW.
-一,。信令必须能够识别与MS-PW相关的CoS。
-ii. Signaling must be able to carry the traffic parameters for an MS-PW per CoS. Traffic parameters should be based on existing INTSERV definitions and must be used for admission control when admission control is enabled.
-二,。信令必须能够承载每个CoS MS-PW的流量参数。流量参数应基于现有的INTSERV定义,并且在启用准入控制时必须用于准入控制。
-iii. The PW signaling MUST enable separate traffic parameter values to be specified for the forward and reverse directions of the PW.
-iii.PW信号必须能够为PW的正向和反向指定单独的交通参数值。
-iv. PW traffic parameter representations MUST be the same for all types of MS-PWs.
-iv.对于所有类型的MS PWs,PW交通参数表示必须相同。
-v. The signaling protocol must be able to accommodate a method to prioritize the PW setup and maintenance operation among PWs.
-五,。信令协议必须能够适应一种在PW之间对PW设置和维护操作进行优先排序的方法。
See the requirements for "Resiliency" above.
请参见上述“弹性”要求。
The following are further requirements on signaled MS-PW setup mechanisms:
以下是信号MS-PW设置机构的进一步要求:
-i. The signaling procedures MUST be defined such that the setup of an MS-PW is considered successful if all segments of the MS-PW are successfully set up.
-一,。必须定义信令程序,以便在MS-PW的所有段均成功设置的情况下,MS-PW的设置被视为成功。
-ii. The MS-PW path MUST have the ability to be dynamically set up between the T-PEs by provisioning only the T-PEs.
-二,。MS-PW路径必须能够通过仅提供T-PE在T-PE之间动态设置。
-iii. Dynamic MS-PW setup requires that a unique identifier be associated with a PW and be carried in the signaling message. That identifier must contain sufficient information to determine the path to the remote T-PE through intermediate S-PEs.
-iii.动态MS-PW设置要求唯一标识符与PW关联,并在信令消息中携带。该标识符必须包含足够的信息,以确定通过中间S-PE到远程T-PE的路径。
-iv. In a single-provider domain, it is natural to have the T-PE identified by one of its IP addresses. This may also apply when an MS-PW is set up across multiple domains operated by the same provider. However, some service providers have security and confidentiality policies that prevent them from advertising reachability to routers in their networks to other providers (reachability to an ASBR is an exception). Thus, procedures MUST be provided to allow dynamic set up of MS-PWs under these conditions.
-iv.在单个提供商域中,T-PE自然由其IP地址之一标识。当MS-PW跨同一提供商操作的多个域设置时,这也可能适用。然而,一些服务提供商有安全和保密政策,防止他们向其他提供商宣传其网络中路由器的可达性(ASBR的可达性是一个例外)。因此,必须提供允许在这些条件下动态设置MS PWs的程序。
The following requirements apply, in addition to those in Sections 4.1 and 4.3, when both dynamic signaling and dynamic routing are used.
当同时使用动态信令和动态路由时,除第4.1节和第4.3节中的要求外,以下要求也适用。
There are no additional architectural requirements.
没有额外的体系结构要求。
The PW routing function MUST support dynamic re-routing around failure points when segments are set up using the dynamic setup method.
当使用动态设置方法设置管段时,PW布线功能必须支持围绕故障点的动态重新布线。
There are no additional QoS requirements.
没有额外的QoS要求。
The following are requirements associated with dynamic route selection for an MS-PW:
以下是与MS-PW的动态路线选择相关的要求:
-i. Routing must enable S-PEs and T-PEs to discover S-PEs on the path to a destination T-PE.
-一,。路由必须使S-PE和T-PE能够在到目标T-PE的路径上发现S-PE。
-ii. The MS-PW routing function MUST have the ability to automatically select the S-PEs along the MS-PW path. Some of the S-PEs MAY be statically selected and carried in the signaling to constrain the route selection process.
-二,。MS-PW路由功能必须能够沿MS-PW路径自动选择S-PE。一些S-pe可以在信令中被静态选择和携带,以约束路由选择过程。
-iii. The PW routing function MUST support re-routing around failures that occur between the statically configured segment endpoints. This may be done by choosing another PSN tunnel between the two segment endpoints or setting up an alternative tunnel.
-iii.PW路由功能必须支持围绕静态配置的段端点之间发生的故障重新路由。这可以通过在两个段端点之间选择另一个PSN隧道或设置替代隧道来实现。
-iv. Routing protocols must be able to advertise reachability information of attachment circuit (AC) endpoints. This reachability information must be consistent with the AC identifiers carried in signaling.
-iv.路由协议必须能够公布连接电路(AC)端点的可达性信息。该可达性信息必须与信令中携带的AC标识符一致。
OAM mechanisms for the attachment circuits are defined in the specifications for PW emulated specific technologies (e.g., ITU-T I.610 [i610] for ATM). These mechanisms enable, among other things, defects in the network to be detected, localized, and diagnosed. They also enable communication of PW defect states on the PW attachment circuit. Note that this document uses the term OAM as Operations and Management as per ITU-T I.610.
连接电路的OAM机制在PW仿真特定技术规范中定义(例如,用于ATM的ITU-T I.610[i610])。除其他外,这些机制能够检测、定位和诊断网络中的缺陷。它们还可以在PW连接电路上通信PW缺陷状态。请注意,本文件使用术语OAM作为ITU-T I.610规定的操作和管理。
The interworking of OAM mechanisms for SS-PWs between ACs and PWs is defined in [PWE3-OAM]. These enable defect states to be propagated across a PWE3 network following the failure and recovery from faults.
ACs和PWs之间SS PWs的OAM机制的互通定义见[PWE3-OAM]。这些使缺陷状态能够在故障和故障恢复后通过PWE3网络传播。
OAM mechanisms for MS-PWs MUST provide at least the same capabilities as those for SS-PWs. In addition, it should be possible to support both segment and end-to-end OAM mechanisms for both defect notifications and connectivity verification in order to allow defects to be localized in a multi-segment network. That is, PW OAM segments can be T-PE to T-PE, T-PE to S-PE, or S-PE to S-PE.
MS PWs的OAM机制必须至少提供与SS PWs相同的功能。此外,应该能够支持段和端到端OAM机制,用于缺陷通知和连接验证,以便允许缺陷在多段网络中本地化。也就是说,PW OAM段可以是T-PE到T-PE、T-PE到S-PE或S-PE到S-PE。
The following requirements apply to OAM for MS-PWs:
以下要求适用于MS PWs的OAM:
-i. Mechanisms for PW segment failure detection and notification to other segments of an MS-PW MUST be provided.
-一,。必须提供PW段故障检测和MS-PW其他段通知机制。
-ii. MS-PW OAM SHOULD be supported end-to-end across the network.
-二,。MS-PW OAM应在整个网络中得到端到端的支持。
-iii. Single ended monitoring SHOULD be supported for both directions of the MS-PW.
-iii.MS-PW的两个方向均应支持单端监测。
-iv. SS-PW OAM mechanisms (e.g., [RFC5085]) SHOULD be extended to support MS-PWs on both an end-to-end basis and segment basis.
-iv.应扩展SS-PW OAM机制(例如,[RFC5085]),以便在端到端和段的基础上支持MS PWs。
-v. All PE routers along the MS-PW MUST agree on a common PW OAM mechanism to use for the MS-PW.
-五,。MS-PW沿线的所有PE路由器必须就用于MS-PW的通用PW OAM机制达成一致。
-vi. At the S-PE, defects on an PSN tunnel MUST be propagated to all PWs that utilize that particular PSN tunnel.
-vi.在S-PE,PSN隧道上的缺陷必须传播到使用该特定PSN隧道的所有PW。
-vii. The directionality of defect notifications MUST be maintained across the S-PE.
-七,。缺陷通知的方向性必须在整个S-PE中保持。
-viii. The S-PE SHOULD be able to behave as a segment endpoint for PW OAM mechanisms.
-八,。S-PE应该能够作为PW OAM机制的段端点。
-ix. The S-PE MUST be able to pass T-PE to T-PE PW OAM messages transparently.
-ix.S-PE必须能够透明地将T-PE传递给T-PE PW OAM消息。
-x. Performance OAM is required for both MS-PWs and SS-PWs to measure round-trip delay, one-way delay, jitter, and packet loss ratio.
-十,。MS PWs和SS PWs都需要性能OAM来测量往返延迟、单向延迟、抖动和丢包率。
Each PWE3 approach that uses MS-PWs SHOULD provide some mechanisms for network operators to manage the emulated service. Management mechanisms for MS-PWs MUST provide at least the same capabilities as those for SS-PWs, as defined in [RFC3916].
每个使用MS PWs的PWE3方法都应该为网络运营商提供一些机制来管理模拟服务。MS PWs的管理机制必须至少提供与SS PWs相同的能力,如[RFC3916]中所定义。
It SHOULD also be possible to manage the additional attributes for MS-PWs. Since the operator that initiates the establishment of an MS-PW may reside in a different PSN domain from the S-PEs and one of the T-PEs along the path of the MS-PW, mechanisms for the remote management of the MS-PW SHOULD be provided.
还可以管理MS PWs的附加属性。由于发起建立MS-PW的操作员可能位于不同于S-PEs和沿着MS-PW路径的一个T-PEs的PSN域中,因此应提供用于远程管理MS-PW的机制。
The following additional requirements apply:
以下附加要求适用:
-i. MIB Tables MUST be designed to facilitate configuration and provisioning of the MS-PW at the S-PEs and T-PEs.
-一,。MIB表的设计必须便于S-PEs和T-PEs的MS-PW配置和供应。
-ii. The MIB(s) MUST facilitate inter-PSN configuration and monitoring of the ACs.
-二,。MIB必须有助于PSN间配置和ACs监控。
-i. Mechanisms MUST be provided to enable remote management of an MS-PW at an S-PE or T-PE. It SHOULD be possible for these mechanisms to operate across PSN domains. An example of a commonly available mechanism is the command line interface (CLI) over a telnet session.
-一,。必须提供机制,以便在S-PE或T-PE上远程管理MS-PW。这些机制应该可以跨PSN域运行。一个常用机制的示例是telnet会话上的命令行界面(CLI)。
-ii. For security or other reasons, it SHOULD be possible to disable the remote management of an MS-PW.
-二,。出于安全或其他原因,应该可以禁用MS-PW的远程管理。
This document specifies the requirements both for MS-PWs that can be set up across domain boundaries administered by one or more service providers (inter-provider MS-PWs), and for MS-PWs that are only set up across one provider (intra-provider MS-PWs).
本文件规定了可跨一个或多个服务提供商管理的域边界设置的MS PWs(提供商间MS PWs)和仅跨一个提供商设置的MS PWs(提供商内MS PWs)的要求。
The security requirements for MS-PW setup across domains administered by one service provider are the same as those described under security considerations in [RFC4447] and [RFC3916]. These requirements also apply to inter-provider MS-PWs.
由一个服务提供商管理的跨域MS-PW设置的安全要求与[RFC4447]和[RFC3916]中的安全注意事项中描述的安全要求相同。这些要求也适用于供应商间MS PWs。
In addition, [RFC4111] identifies user and provider requirements for L2 VPNs that apply to MS-PWs described in this document. In this section, the focus is on the additional security requirements for inter-provider operation of MS-PWs in both the control plane and data plane, and some of these requirements may overlap with those in [RFC4111].
此外,[RFC4111]确定了适用于本文档中所述MS PWs的L2 VPN的用户和提供商要求。在本节中,重点是控制平面和数据平面中MS PWs的供应商间操作的附加安全要求,其中一些要求可能与[RFC4111]中的要求重叠。
By security in the "data plane", we mean protection against the following possibilities:
“数据平面”中的安全性是指针对以下可能性的保护:
-i. Packets from within an MS-PW traveling to a PE or an AC to which the PW is not intended to be connected, other than in a manner consistent with the policies of the MS-PW.
-一,。来自MS-PW内的数据包,以与MS-PW的策略一致的方式以外的方式传输到该PW不打算连接的PE或AC。
-ii. Packets from outside an MS-PW entering the MS-PW, other than in a manner consistent with the policies of the MS-PW.
-二,。来自MS-PW外部进入MS-PW的数据包,但与MS-PW策略一致的方式除外。
MS-PWs that cross service provider (SP) domain boundaries may connect one T-PE in a SP domain to a T-PE in another provider domain. They may also transit other provider domains even if the two T-PEs are under the control of one SP. Under these scenarios, there is a
跨服务提供商(SP)域边界的MS PWs可以将SP域中的一个T-PE连接到另一个提供商域中的T-PE。即使两个T-PE由一个SP控制,它们也可能传输其他提供商域。在这些情况下,存在
chance that one or more PDUs could be falsely inserted into an MS-PW at any of the originating, terminating, or transit domains. Such false injection can be the result of a malicious attack or fault in the S-PE. Solutions MAY provide mechanisms for ensuring the end-to-end authenticity of MS-PW PDUs.
一个或多个PDU可能被错误插入任何发起、终止或传输域的MS-PW中的可能性。此类错误注入可能是S-PE中恶意攻击或故障的结果。解决方案可提供确保MS-PW PDU端到端真实性的机制。
The data plane security requirements at a service provider border for MS-PWs are similar to those for inter-provider BGP/MPLS IP Virtual Private Networks [RFC4364]. In particular, an S-PE or T-PE SHOULD discard a packet received from a particular neighbor over the service provider border unless one of the following two conditions holds:
MS PWs在服务提供商边界的数据平面安全要求与提供商间BGP/MPLS IP虚拟专用网络的数据平面安全要求类似[RFC4364]。特别是,S-PE或T-PE应丢弃通过服务提供商边界从特定邻居接收的数据包,除非以下两个条件之一成立:
-i. Any MPLS label processed at the receiving S-PE or T-PE, such the PSN tunnel label or the PW label has a label value that the receiving system has distributed to that neighbor; or
-一,。在接收S-PE或T-PE处处理的任何MPLS标签,例如PSN隧道标签或PW标签具有接收系统已分发给该邻居的标签值;或
-ii. Any MPLS label processed at the receiving S-PE or T-PE, such as the PSN tunnel label or the PW label has a label value that the receiving S-PE or T-PE has previously distributed to the peer S-PE or T-PE beyond that neighbor (i.e., when it is known that the path from the system to which the label was distributed to the receiving system is via that neighbor).
-二,。在接收S-PE或T-PE处处理的任何MPLS标签(例如PSN隧道标签或PW标签)具有接收S-PE或T-PE先前已分发给该邻居之外的对等S-PE或T-PE的标签值(即,当已知从标签分发到接收系统的系统的路径是通过该邻居时)。
One of the domains crossed by an MS-PW may decide to selectively mirror the PDUs of an MS-PW for eavesdropping purposes. It may also decide to selectively hijack the PDUs of an MS-PW by directing the PDUs away from their destination. In either case, the privacy of an MS-PW can be violated.
MS-PW跨越的域之一可决定选择性地镜像MS-PW的PDU以用于窃听目的。它还可能决定有选择地劫持MS-PW的PDU,方法是引导PDU离开其目的地。在任何一种情况下,MS-PW的隐私都可能受到侵犯。
Some types of PWs make assumptions about the security of the underlying PSN. The minimal security provided by an MPLS PSN might not be sufficient to meet the security requirements expected by the applications using the MS-PW. This document does not place any requirements on protecting the privacy of an MS-PW PDU via encryption. However, encryption may be required at a higher layer in the protocol stack, based on the application or network requirements.
某些类型的PW对基础PSN的安全性进行假设。MPLS PSN提供的最低安全性可能不足以满足使用MS-PW的应用程序预期的安全要求。本文件未对通过加密保护MS-PW PDU隐私提出任何要求。然而,根据应用程序或网络要求,可能需要在协议栈的更高层进行加密。
The data plane of an S-PE at a domain boundary MUST be able to police incoming MS-PW traffic to the MS-PW traffic parameters or to an administratively configured profile. The option to enable/disable policing MUST be provided to the network administrator. This is to ensure that an MS-PW or a group of MS-PWs do not grab more resources than they are allocated. In addition, the data plane of an S-PE MUST be able to police OAM messages to a pre-configured traffic profile or to filter out these messages upon administrative configuration.
域边界处S-PE的数据平面必须能够根据MS-PW流量参数或管理配置的配置文件监控传入的MS-PW流量。必须向网络管理员提供启用/禁用策略的选项。这是为了确保一个MS-PW或一组MS-PW不会占用超过分配的资源。此外,S-PE的数据平面必须能够将OAM消息监控到预先配置的流量配置文件,或者在管理配置时过滤掉这些消息。
An ingress S-PE MUST ensure that an MS-PW receives the CoS treatment configured or signaled for that MS-PW at the S-PE. Specifically, an S-PE MUST guard against packets marked in the exp bits or IP-header Differentiated Services (DS) field (depending on the PSN) for a better CoS than they should receive.
入口S-PE必须确保MS-PW在S-PE处接收为该MS-PW配置或发送的CoS处理。具体而言,S-PE必须防止在exp位或IP报头区分服务(DS)字段中标记的数据包(取决于PSN),以获得比它们应该接收的更好的CoS。
An ingress S-PE MUST be able to define per-interface or interface-group (a group may correspond to interfaces to a peer-provider) label space for MPLS-PWs. An S-PE MUST be configurable not to accept labeled packets from another provider unless the bottom label is a PW-label assigned by the S-PE on the interface on which the packet arrived.
ingress-PE必须能够为MPLS PWs定义每个接口或接口组(一个组可能对应于对等提供商的接口)的标签空间。S-PE必须可配置为不接受来自其他提供商的带标签数据包,除非底部标签是S-PE在数据包到达的接口上分配的PW标签。
Data plane security considerations for SS-PWs specified in [RFC3985] also apply to MS-PWs.
[RFC3985]中规定的SS PWs数据平面安全注意事项也适用于MS PWs。
An MS-PW connects two attachment circuits. It is important to make sure that PW connections are not arbitrarily accepted from anywhere, or else a local attachment circuit might get connected to an arbitrary remote attachment circuit. The fault in the connection can start at a remote T-PE or an S-PE.
MS-PW连接两个连接电路。务必确保PW连接不会从任何地方被任意接受,否则本地连接电路可能会连接到任意远程连接电路。连接故障可能从远程T-PE或S-PE开始。
Where a PW segment crosses a border between one provider and another provider, the PW segment endpoints (S-PEs) SHOULD be on ASBRs interconnecting the two providers. Directly interconnecting the S-PEs using a physically secure link, and enabling signaling and routing authentication between the S-PEs, eliminates the possibility of receiving an MS-PW signaling message or packet from an untrusted peer. Other configurations are possible. For example, P routers for the PSN tunnel between the adjacent S-PEs/T-PEs may reside on the ASBRs. In which case, the S-PEs/T-PEs MUST satisfy themselves of the security and privacy of the path.
当PW段跨越一个提供商和另一个提供商之间的边界时,PW段端点(S-PE)应位于连接两个提供商的ASBR上。使用物理安全链路直接互连S-PEs,并启用S-PEs之间的信令和路由认证,消除了从不受信任的对等方接收MS-PW信令消息或数据包的可能性。其他配置也是可能的。例如,用于相邻S-PEs/T-PEs之间的PSN隧道的P路由器可以驻留在asbr上。在这种情况下,S-PEs/T-PEs必须确保路径的安全性和隐私性。
The configuration and maintenance protocol MUST provide a strong authentication and control protocol data protection mechanism. This option MUST be implemented, but it should be deployed according to the specific PSN environment requirements. Furthermore, authentication using a signature for each individual MS-PW setup message MUST be available, in addition to an overall control protocol session authentication and message validation.
配置和维护协议必须提供强大的身份验证和控制协议数据保护机制。必须实现此选项,但应根据特定的PSN环境要求进行部署。此外,除了总体控制协议会话认证和消息验证外,还必须为每个单独的MS-PW设置消息使用签名进行认证。
Since S-PEs in different provider networks SHOULD reside at each end of a physically secure link, or be interconnected by a limited number of trusted PSN tunnels, each S-PE will have a trust relationship with only a limited number of S-PEs in other ASs. Thus, it is expected that current security mechanisms based on manual key management will
由于不同提供商网络中的S-PE应位于物理安全链路的每一端,或通过有限数量的受信任PSN隧道互连,因此每个S-PE将仅与其他ASs中有限数量的S-PE具有信任关系。因此,预计基于手动密钥管理的当前安全机制将
be sufficient. If deployment situations arise that require large scale connection to S-PEs in other ASs, then a mechanism based on RFC 4107 [RFC4107] MUST be developed.
足够了。如果出现需要大规模连接到其他ASs中S-PEs的部署情况,则必须开发基于RFC 4107[RFC4107]的机制。
Peer authentication protects against IP address spoofing but does not prevent one peer (S-PE or T-PE) from connecting to the wrong attachment circuit. Under a single administrative authority, this may be the result of a misconfiguration. When the MS-PW crosses multiple provider domains, this may be the result of a malicious act by a service provider or a security hole in that provider network. Static manual configuration of MS-PWs at S-PEs and T-PEs provides a greater degree of security. If an identification of both ends of an MS-PW is configured and carried in the signaling message, an S-PE can verify the signaling message against the configuration. To support dynamic signaling of MS-PWs, whereby only endpoints are provisioned and S-PEs are dynamically discovered, mechanisms SHOULD be provided to configure such information on a server and to use that information during a connection attempt for validation.
对等身份验证可防止IP地址欺骗,但不能防止一个对等方(S-PE或T-PE)连接到错误的连接电路。在单一管理机构下,这可能是由于配置错误造成的。当MS-PW跨越多个提供商域时,这可能是由于服务提供商的恶意行为或该提供商网络中的安全漏洞造成的。S-PEs和T-PEs的MS PWs静态手动配置提供了更高的安全性。如果在信令消息中配置并携带了MS-PW两端的标识,则S-PE可以根据配置验证信令消息。为了支持MS PWs的动态信令,即仅提供端点并动态发现S-PE,应提供机制在服务器上配置此类信息,并在连接尝试期间使用该信息进行验证。
An incoming MS-PW request/reply MUST NOT be accepted unless its IP source address is known to be the source of an "eligible" peer. An eligible peer is an S-PE or a T-PE with which the originating S-PE or T-PE has a trust relationship. The number of such trusted T-PEs or S-PEs is bounded and not anticipated to create a scaling issue for the control plane authentication mechanisms.
除非已知其IP源地址是“合格”对等方的来源,否则不得接受传入的MS-PW请求/答复。合格的对等方是与发起的S-PE或T-PE具有信任关系的S-PE或T-PE。此类受信任T-PE或S-PE的数量是有界的,预计不会为控制平面身份验证机制造成缩放问题。
If a peering adjacency has to be established prior to exchanging setup requests/responses, peering MUST only be done with eligible peers. The set of eligible peers could be pre-configured (either as a list of IP addresses, or as a list of address/mask combinations) or automatically generated from the local PW configuration information.
如果必须在交换设置请求/响应之前建立对等邻接,则只能对符合条件的对等方进行对等。可预先配置(作为IP地址列表,或作为地址/掩码组合列表)或根据本地PW配置信息自动生成合格对等点集。
Furthermore, the restriction of peering sessions to specific interfaces MUST also be provided. The S-PE and T-PE MUST drop the unaccepted signaling messages in the data path to avoid a Denial-of-Service (DoS) attack on the control plane.
此外,还必须提供对特定接口的对等会话限制。S-PE和T-PE必须在数据路径中丢弃不可接受的信令消息,以避免控制平面上的拒绝服务(DoS)攻击。
Even if a connection request appears to come from an eligible peer, its source address may have been spoofed. Thus, means of preventing source address spoofing must be in place. For example, if eligible peers are in the same network, source address filtering at the border routers of that network could eliminate the possibility of source address spoofing.
即使连接请求似乎来自合格的对等方,其源地址也可能被欺骗。因此,必须采取措施防止源地址欺骗。例如,如果符合条件的对等点位于同一网络中,则在该网络的边界路由器处进行源地址过滤可以消除源地址欺骗的可能性。
S-PEs that connect one provider domain to another provider domain MUST have the capability to rate-limit signaling traffic in order to prevent DoS attacks on the control plane. Furthermore, detection and disposition of malformed packets and defense against various forms of attacks that can be protocol-specific MUST be provided.
将一个提供商域连接到另一个提供商域的S-PE必须能够对信令流量进行速率限制,以防止控制平面上的DoS攻击。此外,必须提供对格式错误的数据包的检测和处置,以及针对各种形式的攻击(可能是协议特定的)的防御。
Security requirements for pseudowires are provided in [RFC3916]. These requirements also apply to MS-PWs.
[RFC3916]中提供了伪线的安全要求。这些要求也适用于MS PWs。
MS-PWs are intended to enable many more PEs to provide PWE3 services in a given service provider network than traditional SS-PWs, particularly in access and metro environments where the PE may be situated closer to the ultimate endpoint of the service. In order to limit the impact of a compromise of one T-PE in a service provider network, the data path security requirements for inter-provider MS-PWs also apply to intra-provider MS-PWs in such cases.
MS PWs旨在使更多的PE能够在给定的服务提供商网络中提供比传统SS PWs更多的PWE3服务,特别是在接入和城域环境中,其中PE可能更接近服务的最终端点。为了限制服务提供商网络中一个T-PE泄露的影响,在这种情况下,提供商间MS-PWs的数据路径安全要求也适用于提供商内MS-PWs。
The editors gratefully acknowledge the following contributors: Dimitri Papadimitriou (Alcatel-Lucent), Peter Busschbach (Alcatel-Lucent), Sasha Vainshtein (Axerra), Richard Spencer (British Telecom), Simon Delord (France Telecom), Deborah Brungard (AT&T), David McDysan (Verizon), Rahul Aggarwal (Juniper), Du Ke (ZTE), Cagatay Buyukkoc (ZTE), and Stewart Bryant (Cisco).
编辑们衷心感谢以下撰稿人:迪米特里·帕帕迪米特里欧(阿尔卡特-朗讯)、彼得·布施巴赫(阿尔卡特-朗讯)、萨沙·范斯坦(阿克塞拉)、理查德·斯宾塞(英国电信)、西蒙·德洛德(法国电信)、黛博拉·布伦加德(AT&T)、大卫·麦克迪桑(Verizon)、拉胡尔·阿加瓦尔(Juniper)、杜克(中兴)、卡加泰·布约科克(中兴),和斯图尔特·布莱恩特(思科)。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3916] Xiao, X., Ed., McPherson, D., Ed., and P. Pate, Ed., "Requirements for Pseudo-Wire Emulation Edge-to-Edge (PWE3)", RFC 3916, September 2004.
[RFC3916]Xiao,X.,Ed.,McPherson,D.,Ed.,和P.Pate,Ed.,“伪线仿真边到边(PWE3)的要求”,RFC 39162004年9月。
[RFC3985] Bryant, S., Ed., and P. Pate, Ed., "Pseudo Wire Emulation Edge-to-Edge (PWE3) Architecture", RFC 3985, March 2005.
[RFC3985]Bryant,S.,Ed.,和P.Pate,Ed.,“伪线仿真边到边(PWE3)架构”,RFC 39852005年3月。
[i610] Recommendation I.610 "B-ISDN operation and maintenance principles and functions", February 1999.
[i610]建议I.610“B-ISDN操作和维护原则与功能”,1999年2月。
[RFC5085] Nadeau, T., Ed., and C. Pignataro, Ed., "Pseudowire Virtual Circuit Connectivity Verification (VCCV): A Control Channel for Pseudowires", RFC 5085, December 2007.
[RFC5085]Nadeau,T.,Ed.,和C.Pignataro,Ed.,“伪线虚拟电路连接验证(VCCV):伪线的控制通道”,RFC 5085,2007年12月。
[RFC4447] Martini, L., Ed., Rosen, E., El-Aawar, N., Smith, T., and G. Heron, "Pseudowire Setup and Maintenance Using the Label Distribution Protocol (LDP)", RFC 4447, April 2006.
[RFC4447]Martini,L.,Ed.,Rosen,E.,El Aawar,N.,Smith,T.,和G.Heron,“使用标签分发协议(LDP)的伪线设置和维护”,RFC 4447,2006年4月。
[RFC4111] Fang, L., Ed., "Security Framework for Provider-Provisioned Virtual Private Networks (PPVPNs)", RFC 4111, July 2005.
[RFC4111]Fang,L.,Ed.“提供商提供的虚拟专用网络(PPVPN)的安全框架”,RFC 4111,2005年7月。
[PWE3-OAM] Nadeau, T., Ed., Morrow, M., Ed., Busschbach, P., Ed., Alissaoui, M.,Ed., D. Allen, Ed., "Pseudo Wire (PW) OAM Message Mapping", Work in Progress, March 2005.
[PWE3-OAM]Nadeau,T.,Ed.,Morrow,M.,Ed.,Busschbach,P.,Ed.,Alissaoui,M.,Ed.,D.Allen,Ed.,“伪线(PW)OAM消息映射”,正在进行的工作,2005年3月。
[RFC2914] Floyd, S., "Congestion Control Principles", BCP 41, RFC 2914, September 2000.
[RFC2914]Floyd,S.,“拥塞控制原则”,BCP 41,RFC 2914,2000年9月。
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private Networks (VPNs)", RFC 4364, February 2006.
[RFC4364]Rosen,E.和Y.Rekhter,“BGP/MPLS IP虚拟专用网络(VPN)”,RFC 4364,2006年2月。
[RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic Key Management", BCP 107, RFC 4107, June 2005.
[RFC4107]Bellovin,S.和R.Housley,“加密密钥管理指南”,BCP 107,RFC 4107,2005年6月。
Authors' Addresses
作者地址
Nabil Bitar Verizon 117 West Street Waltham, MA 02145 EMail: nabil.n.bitar@verizon.com
Nabil Bitar Verizon 117 West Street Waltham,MA 02145电子邮件:Nabil.n。bitar@verizon.com
Matthew Bocci Alcatel-Lucent Telecom Ltd, Voyager Place Shoppenhangers Road Maidenhead Berks, UK EMail: matthew.bocci@alcatel-lucent.co.uk
Matthew Bocci Alcatel-Lucent电信有限公司,英国迈登黑德伯克斯路旅行者广场商店,电子邮件:Matthew。bocci@alcatel-朗讯公司
Luca Martini Cisco Systems, Inc. 9155 East Nichols Avenue, Suite 400 Englewood, CO, 80112 EMail: lmartini@cisco.com
Luca Martini Cisco Systems,Inc.地址:科罗拉多州恩格尔伍德东尼科尔斯大道9155号400室,邮编:80112电子邮件:lmartini@cisco.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2008).
版权所有(C)IETF信托基金(2008年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.