[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 RFC 4176

   L3VPN WG                                           Yacine El Mghazli
   Internet Draft                                               Alcatel
   <draft-ietf-l3vpn-mgt-fwk-01.txt>
   Category: Informational                             Thomas D. Nadeau
                                                          Cisco Systems
   Expires: July 2004
                                                           Kwok Ho Chan
                                                        Nortel Networks
  
                                                      Mohamed Boucadair
                                                         France Telecom
  
                                                         Arnaud Gonguet
                                                                Alcatel
  
  
                                                           January 2004
  
  
  
  
               Framework for L3VPN Operations and Management
  
  
  
  
  
  Status of this Memo
  
  
   This document is an Internet-Draft and is subject to all provisions
   of Section 10 of RFC2026 except that the right to produce derivative
   works is not granted.
  
   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.
  
   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress".
  
   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt
  
   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.
  
  
  
  El Mghazli and al.     Expires - July 2004                 [Page 1]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
  Abstract
  
   This document provides a framework for operation and management of
   Layer 3 Virtual Private Networks (L3VPNs). This framework intends to
   produce a coherent description of the significant technical issues
   that are important in the design of L3VPN management solutions.
   Selection of specific approaches, making choices among information
   models and protocols are outside of the scope of this document.
  
  
  Conventions used in this document
  
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as deL3scribed in [RFC2119].
  
  
  Table of Contents
  
   1. Introduction...................................................4
      1.1 Changes since last version.................................4
      1.2 Terminology................................................4
      1.3 Management Functions.......................................5
      1.4 Reference Models...........................................6
   2. PPVPN Service Operations and Management........................8
      2.1 Service Management: Overview...............................8
      2.2 PPVPN Service Offering Management..........................9
      2.3 PPVPN Service Order Management.............................9
      2.4 PPVPN Service Assurance....................................9
      2.5 Customer Service Management Information Model..............9
           2.5.1 SLA/SLS Content....................................10
      2.6 Customer Management Functions.............................10
           2.6.1 Fault Management...................................11
           2.6.2 Configuration Management...........................11
           2.6.3 Accounting.........................................11
           2.6.4 Performance Management.............................12
           2.6.5 Security Management................................12
      2.7 Customer Management Architecture..........................13
           2.7.1 Functional Architecture............................14
           2.7.2 Communication......................................14
   3. L3VPN Provider Network Manager................................14
      3.1 Provider Network Management Definition....................14
      3.2 Network Management Functions..............................15
           3.2.1 Fault Management...................................15
           3.2.2 Configuration Management...........................16
           3.2.3 Accounting.........................................20
           3.2.4 Performance Management.............................20
           3.2.5 Security Management................................20
      3.3 Network Management Information Models.....................20
  
  
  El Mghazli and al.     Expires - July 2004                 [Page 2]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
      3.4 Network Management Architecture...........................21
   4. L3VPN Devices.................................................21
      4.1 Information model.........................................21
           4.1.1 Standard MIBs/PIBs.................................21
           4.1.2 L3VPN specific MIBs/PIBs...........................22
      4.2 Communication.............................................23
   5. Configuration aspects of PPVPN solutions......................23
      5.1 Layer 2 VPNs..............................................23
           5.1.1 VPWS...............................................23
           5.1.2 VPLS...............................................23
      5.2 Layer 3 VPNs..............................................23
           5.2.1 PE-based 2547bis...................................23
           5.2.2 PE-based Virtual Router............................23
           5.2.3 CE-based VPNs using IPSec..........................23
   Security Considerations..........................................23
   References.......................................................24
   Acknowledgments..................................................25
   Authors' Addresses...............................................25
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  El Mghazli and al.     Expires - July 2004                 [Page 3]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
  1. Introduction
  
  1.1 Changes since last version
  
     . Add new section 1.2 on terminology.
     . Rewording of major parts of the document.
  
  1.2 Terminology
  
   In this document, the following terms are used and defined as
   follows:
  
   VPN:
      Virtual Private Network. A set of transmission and switching
      resources, which will be used over a public infrastructure to
      process  the  (IP)  traffic  that  characterizes  communication
      services between the sites or premises interconnected via this
      VPN. Such VPN networks MUST provide user identification and
      authorization capabilities so that their access can be granted
      accordingly, and they SHOULD also provide some guarantees as far
      as the preservation of the VPN traffic's confidentiality is
      concerned.
  
   VPN Instance:
      From a management standpoint, a VPN instance is the collection of
      management data that strictly refer to a given VPN that has been
      deployed and managed by a VPN service provider.
  
   VPN Site:
      A VPN customer's location that can access at least one VPN.
  
   VPN Service Provider (SP):
      A Service Provider that offers VPN-related services.
  
   VPN Customer:
      Refers to a customer that bought VPNs from a VPN service provider.
  
   PPVPN:
      Provider  Provisioned  VPN.  Denotes  VPNs  for  which  a  service
      provider participates in provisioning and management.
  
   L3VPN:
      PPVPN for providing layer-3 (routed) services. See [L3VPN-FRWK].
  
   Customer Agent:
      Denotes the entity that is responsible for requesting VPN customer
      specific information.
  
  
  
  
  El Mghazli and al.     Expires - July 2004                 [Page 4]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
   SLA:
      Service Level Agreement.
  
   SLS:
      Service Level Specifications.
  
  
  1.3 Management Functions
  
   For any type of Layer-3 PPVPN (PE or CE-based VPNs) it is recommended
   to have a management platform where the VPN-related information could
   be collected and managed. The Service and Network Management System
   may centralize information related to instances of a VPN and allow
   users to configure and provisions each instance from a central
   location.
  
   A SP must be able to manage the capabilities and characteristics of
   their VPN services. Customers should have means to ensure fulfillment
   of the VPN service they subscribed to. To the extent possible,
   automated operations and interoperability with standard management
   protocols should be supported.
  
   Two main management functions are identified:
  
     . A customer service management function:
  
   Provides the means for a customer to query or configure customer
   specific information, or receive alarms regarding his or her VPN.
   Customer specific information includes data related to contact,
   billing,  site,  access  network,  IP  address,  routing  protocol
   parameters, etc. It may also include confidential data, such as
   encryption keys. Several solutions could be used: (1) proprietary
   network management system (2) SNMP manager (3) PDP function (4)
   directory service, etc. The customer should have a means to order
   VPN-based  services  (we  will  refer  to  this  function  as  "VPN
   Ordering").
  
     . A provider network management function:
  
   This function is responsible for configuring and provisioning the
   network  resources  in  order  to  meet  the  offered  VPN  services
   requirements. This mainly consists of (1) managing, (2) provisioning
   and (3) configuring the physical links, the offered VPNS, the
   subscribed  customers  and  the  VPN  services  offering.  Additional
   features to be supported includes add a VPN, add a customer, delete a
   VPN, modifying VPN-related parameters. In addition, the VPN-SLS
   assurance should be deployed in order to verify the fulfillment of
   the subscribed VPN agreements.
  
  
  
  El Mghazli and al.     Expires - July 2004                 [Page 5]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
  
  1.4 Reference Models
  
   The ITU-T Telecommunications Management Network has the following
   generic requirements structure:
  
     . Engineer,  deploy  and  manage  the  switching,  routing  and
        transmission resources supporting the service, from a network
        perspective (network element management);
  
     . Manage  the  VPNs  deployed  over  these  resources  (network
        management);
  
     . Manage the VPN service (service management);
  
  
      - - - - - - - - - - - - - - - - - - - - - - - -:- - - - - - - - -
      Service      +-------------+                   :      +----------+
      Management   |   Service   |<------------------:----->| Customer |
      Layer        |   Manager   |                   :      | Agent    |
                   +-------------+                   :      +----------+
      - - - - - - - - - - ^ - - - - - - - - - - - - -:- - - - - - - - -
      Network             |       +------------+     :
      Management          |       |  Provider  |     :
      Layer               |       |  Network   |  Customer
                          +------>|  Manager   |  Interface
                                  +------------+     :
      - - - - - - - - - - - - - - - - - ^ - - - - - -:- - - - - - - - -
      Network Element                   |            :
      Management                        |  +------+  :  +------+
      Layer                             |  |      |  :  |  CE  |
                                        +->|  PE  |  :  |device|
                                           |device|  :  |  of  |
                                           |      |--:--|VPN  A|
                                           +------+  :  +------+
      ---------------------------------------------->:<----------------
                     SP network                      :  Customer Network
  
            Figure 1: Reference Model for PE-based L3VPNs Management.
  
  
  
  
  
  
  
  
  
  
  
  
  El Mghazli and al.     Expires - July 2004                 [Page 6]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
  
      - - - - - - - - - - - - - - - - - - - - - - - -:- - - - - - - - -
      Service      +-------------+                   :      +----------+
      Management   |   Service   |<------------------:----->| Customer |
      Layer        |   Manager   |                   :      | Agent    |
                   +-------------+                   :      +----------+
      - - - - - - - - - - ^ - - - - - - - - - - - - -:- - - - - - - - -
      Network             |       +------------+     :
      Management          |       |  Provider  |     :
      Layer               |       |  Network   |  Customer
                          +------>|  Manager   |  Interface
                                  +------------+     :
      - - - - - - - - - - - - - - - -^- - - -^- - - -:- - - - - - - - -
      Network Element                |       +-------:---------------+
      Management                     |     +------+  :  +------+     |
      Layer                          |     |      |  :  |  CE  |     |
                                     +---->|  PE  |  :  |device|<----+
                                           |device|  :  |  of  |
                                           |      |--:--|VPN  A|
                                           +------+  :  +------+
      ---------------------------------------------->:<----------------
                     SP network                      :  Customer Network
  
            Figure 2: Reference Model for CE-based L3VPNs Management.
  
   Figure 1 and 2 (see above) presents the reference models for both PE
   and  CE-based  L3VPN  management,  according  to  the  aforementioned
   generic structure.
  
   In both models, the service manager administrates customer specific
   attributes, such as customer Identifier (ID), personal information
   (e.g., name, address, phone number, credit card number, etc.),
   subscription  services  and  parameters,  access  control  policy
   information, billing and statistical information, etc.
  
   In  the  PE-based  reference  model,  the  provider  network  manager
   administrates device attributes and their relationship, covering PE
   devices and other devices constructing the corresponding PE-based
   VPN.
  
   In  the  CE-based  reference  model,  the  provider  network  manager
   administrates device attributes and their relationship, covering PE
   *and* CE devices constructing the corresponding CE-based VPN.
  
   Network and customer management systems that are responsible for
   managing VPN networks, have several challenges depending on the type
   of VPN network(s) they are required to manage.
  
  
  
  
  El Mghazli and al.     Expires - July 2004                 [Page 7]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
  2. PPVPN Service Operations and Management
  
   The service management groups all functions that aim at managing the
   service-based operations like service ordering, service subscription,
   activation, etc.
  
   The  Customer  Management  function  controls  the  PPVPN  service
   management at the Service Management Layer (SML). It mainly consists
   of defining the PPVPN services offered by the SP, collecting and
   consolidating the customer PPVPN services requirements, as well as
   performing  some  reporting  for  the  customer.  This  function  is
   correlated with the Network Management function at the Network
   Management  Layer  (NML)  for  initiating  the  PPVPN  services
   provisioning, and getting some service reporting.
  
  
  2.1 Service Management: Overview
  
          + - - - - - - - - - - - - - - - - - - - - - - - - -  +
          | Service    +----------------+   +----------------+ |
          | Management |   VPN  Offering|   | VPN Order      | |
          |            |   Management   |   |    Management  | |
          |            +----------------+   +----------------+ |
          |            +----------------+   +----------------+ |
          |            |   VPN          |   | VPN-based      | |
          |            |   Assurance    |   | SLS Management | |
          |            +----------------+   +----------------+ |
          + - - - - - - - - - - - - - - - - - - - - - - - - -  +
  
               Figure 3: Overview of the Service Management
  
   A customer must have a means to view the topology, operational state,
   order status, and other parameters associated with the VPN service
   offering that has been subscribed.
  
   All aspects of management information about CE devices and customer
   attributes of a PPVPN manageable by a SP should be capable of being
   configured and maintained by an authenticated, authorized Service
   manager.
  
   A customer agent should be able to make dynamic requests for changing
   parameters describing a service. A customer should be able to receive
   response from the SP network in response to these requests (modulo
   the existence of necessary agreements). Communication between
   customer Agents and (VPN) service providers will rely upon a
   query/response mechanism.
  
  
  
  El Mghazli and al.     Expires - July 2004                 [Page 8]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
   A customer who may not be able to afford the resources to manage its
   CPE premises should be able to outsource the management of the VPN to
   the service provider(s) supporting the network.
  
  
  2.2 PPVPN Service Offering Management
  
   The deployment of a VPN hopefully addresses customers' requirements.
   Thus, the provider must have the means to advertise the VPN-based
   services it offers. Then, the potential customers could select the
   service they want to subscribe to. Additional features could be
   associated to this subscription phase, like the selection of a level
   of quality associated to the delivery of the VPN service, the level
   of management of the VPN service performed by the SP, security
   options, etc.
  
  
  2.3 PPVPN Service Order Management
  
   This operation aims at managing the requests initiated by the
   customers and tracks the status of the achievement of the related
   operations. The activation of the orders is conditioned by the
   availability of the resources that meet the customer's requirements
   with the agreed guaranties (note that could be a result of a
   negotiation phase between the customer and the provider).
  
  
  2.4 PPVPN Service Assurance
  
   The customer must have the means to evaluate the fulfillment of the
   contracted SLA with the provider. Thus, the provider must monitor,
   measure and provide some statistical information to the customer
   assuming  an  agreement  between  both  parties  on  the  measurement
   methodology as well as the specification of the corresponding (set
   of) quality of service indicators.
  
  
  2.5 Customer Service Management Information Model
  
   This section presents the information model that is used for PPVPN
   service management at the SML. The information models represent the
   data that need to be managed, and the way they are represented. At
   the SML, the information model that is foreseen is composed of
   Service Level Agreements (SLA) and Service Level Specifications
   (SLS).
  
  
  
  
  
  
  El Mghazli and al.     Expires - July 2004                 [Page 9]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
     2.5.1 SLA/SLS Content
  
   Services are described through Service Level Agreements (SLA) that
   are contractual documents between customers and service providers.
   The technical part of the service description is called the Service
   Level  Specification  (SLS).  The  SLS  groups  different  kinds  of
   parameters. Some are more related with the description of the
   transport of the packets, and some with the specification of the
   service itself.
  
   A Service Level Specification (SLS) may be defined per access network
   connection, per VPN, per VPN site, and/or per VPN route. The service
   provider may define objectives and the measurement intervals for at
   least the SLS using the following Service Level Objective (SLO)
   parameters:
  
     . QoS and traffic parameters
     . Availability for the site, VPN, or access connection
     . Duration of outage intervals per site, route or VPN
     . Service activation interval (e.g., time to turn up a new site)
     . Trouble report response time interval
     . Time to repair interval
     . Total incoming/outgoing traffic from a site, a (VPN) route or
        that has transited through the whole VPN
     . Measurement of non-conforming incoming/outgoing traffic
        (compliance of traffic should deserve some elaboration, because
        of many perspectives - security, QoS, routing, etc.) from a
        site, a (VPN) route, or which has transited through the whole
        VPN
  
   The service provider and the customer may negotiate contractual
   penalties in the case(s) where the provider does not meet a (set of)
   SLS performance objective(s).
  
   Traffic parameters and actions should be defined for incoming and
   outgoing packets that go through the demarcation between the service
   provider premises and the customer's premises. For example, traffic
   policing functions may be activated at the ingress of the service
   provider's network, while traffic shaping capabilities could be
   activated at the egress of the service provider's network.
  
  
  2.6 Customer Management Functions
  
   This section presents detailed customer management functions in the
   traditional  fault,  configuration,  accounting,  performance,  and
   security (FCAPS) management categories.
  
  
  
  El Mghazli and al.     Expires - July 2004                [Page 10]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
  
  
     2.6.1 Fault Management
  
   Basically the fault management function of the Customer Service
   Manager  relies  upon  the  manipulation  of  network  layer  failure
   information, and it reports incidents to the impacted customers. Such
   reports should be based upon and relate to the VPN service offering
   subscribed by the customer. The Customer Management function support
   for fault management includes:
  
     . Indication of customer's services impacted by failure,
     . Incident recording or logs.
  
  
  
     2.6.2 Configuration Management
  
   The configuration management function of the Customer Manager must be
   able to configure PPVPN service parameters with the level of detail
   that the customer is able to specify, according to service templates
   defined by the provider.
  
   A service template contains fields which, when instantiated, yield a
   definite service requirement or policy. For example, a template for
   an IPSec tunnel [IPSEC] would contain fields such as tunnel end
   points,   authentication   modes,   encryption   and   authentication
   algorithms, shared keys (if any), and traffic filters.
  
   A BGP/MPLS-based VPN service template would contain fields such as
   the customer premises that need to be interconnected via the VPN.
   A QoS agreement template would contain fields such as one-way transit
   delay, inter-packet delay variation, throughput, and packet loss
   thresholds.
  
  
  
     2.6.3 Accounting
  
   Basically, the accounting management function of the Customer Manager
   is provided with network layer measurements information and manages
   this information. The Customer Manager is responsible for the
   following accounting functions:
  
     . Retrieval of accounting information from the Provider Network
        Manager,
     . Analysis, storage and administration of measurements.
  
  
  El Mghazli and al.     Expires - July 2004                [Page 11]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
  
   Some providers may require near-real time reporting of measurement
   information, and may offer this as part of a customer network
   management service.
  
   If a SP supports "Dynamic Bandwidth Management" service, then the
   schedule and the amount of the bandwidth required to perform
   requested bandwidth allocation change(s) must be traceable for
   monitoring and accounting purposes.
  
   Solutions should state compliance with accounting requirements, as
   described in section 1.7 of [RFC2975].
  
  
  
     2.6.4 Performance Management
  
   >From the Customer Manager's perspective, performance management
   includes functions involved in the determination of the conformance
   level  with  the  Service  Level  Specifications,  such  as  QoS  and
   availability measurements. The objective is to correlate accounting
   information with performance and fault management information to
   produce billing that takes into account SLA provisions for periods of
   time where the service level objectives are not met.
  
   The  performance  information  should  reflect  the  quality  of  the
   subscribed VPN service as perceived by the customer. This information
   could be measured by the provider or controlled by a third party. The
   parameters that will be used to reflect the performance level could
   be negotiated and agreed between the service provider and the
   customer during the VPN service negotiation phase.
  
   Performance management should also support analysis of important
   aspects of a PPVPN, such as bandwidth utilization, response time,
   availability, QoS statistics, and trends based on collected data.
  
  
  
     2.6.5 Security Management
  
   From the Customer Manager's perspective, the security management
   function includes management features to guarantee the security of
   devices, configuration data and access connections.
  
  
  
  
  
  
  
  El Mghazli and al.     Expires - July 2004                [Page 12]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
      2.6.5.1   Management Access Control
  
   Management access control determines the privileges that a user has
   for particular applications and parts of the network. Without such
   control, only the security of the data and control traffic is
   protected,  leaving  the  devices  providing  the  PPVPN  network
   unprotected, among other equipment or resources. Access control
   capabilities protect these devices to ensure that users have access
   to the sole resources and applications they are granted to use.
  
  
  
      2.6.5.2   Authentication
  
   Authentication is the process of verifying the identity of a VPN
   user.  The  Service  Manager  must  support  standard  methods  for
   authenticating users attempting to access VPN services.
  
   Scalability is critical as the number of nomadic/mobile clients is
   increasing rapidly. The authentication scheme implemented for such
   deployments must be manageable for large numbers of users and VPN
   access points.
  
   Support for strong authentication schemes shall be supported to
   ensure the security of both VPN access point-to-VPN access point (PE
   to PE) and client-to-VPN Access point (CE-to-PE) communications. This
   is particularly important to prevent VPN access point (VPN AP)
   spoofing. VPN Access Point Spoofing is the situation where an
   attacker tries to convince a PE or a CE that the attacker is the VPN
   Access Point. If an attacker succeeds, then the device will send VPN
   traffic to the attacker (who could forward it on to the actual (and
   granted)  access  point  after  compromising  confidentiality  and/or
   integrity).
  
   In other words, a non-authenticated VPN AP can be spoofed with a man-
   in-the-middle attack, because the endpoints rarely verify each other.
   A weakly authenticated VPN AP may be subject to such an attack.
   However, strongly authenticated VPN APs are not subject to such
   attacks, because the man-in-the-middle cannot authenticate as the
   real AP, due to the strong authentication algorithms.
  
  
  2.7 Customer Management Architecture
  
   This section proposes a high level architecture for the PPVPN
   management framework as far as the SML layer is concerned. The goal
   is to map the customer management functions described in section 2.3
  
  
  
  El Mghazli and al.     Expires - July 2004                [Page 13]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
   to  architectural  yet  functional  blocks,  and  to  describe  the
   communication with the other PPVPN management functions.
  
  
     2.7.1 Functional Architecture
  
   Two main functional blocks can be recognized:
  
     . A PPVPN Service Manager, for defining the PPVPN services and
        initiating the corresponding provisioning. This block takes the
        Customer Agent requirements as inputs, and the Provider Network
        Management provisioning system as the output.
  
     . A  PPVPN  Service  Assurance  Manager,  for  managing  services
        failures, and performing customer reporting. This block takes
        the Provider Network Management assurance system as an input,
        and the Customer Agent as the output.
  
  
  
     2.7.2 Communication
  
  
      2.7.2.1   Customer Agent interface
  
   TBD
  
  
  
      2.7.2.2   Provider Network Management interface
  
   TBD
  
  
  3. L3VPN Provider Network Manager
  
  3.1 Provider Network Management Definition
  
  
   When implementing a VPN architecture within a domain (or a set of
   domains managed by a single ISP), an ISP must have a means to view
   the physical and logical topology of the VPN premises, the VPN
   operational status, the VPN service ordering status, the VPN service
   handling, the VPN service activation status, and other aspects
   associated with each customer's VPN in terms of set of relevant
   parameters and attributes.
  
  
  
  El Mghazli and al.     Expires - July 2004                [Page 14]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
  
   The management of a VPN service from a provider's perspective
   consists mainly in:
     . Managing the customers (the term "customer" denotes a role
        rather than the end user, thus a SP could be a customer) and
        end-users in terms of SLA
     . Managing the VPN premises (especially creating, modifying and
        deleting operations, editing the related information to a
        specific link or supervising the AAA [RFC2903][RFC2906]
        operations)
     . Managing the CE-PE links (particularly creating, modifying and
        deleting links, editing the related information to a specific
        VPN)
     . Managing the service ordering like Quality of Service in terms
        of supported classes of service, traffic isolation, etc.
  
   Currently, proprietary methods are often used to manage VPNs. The
   additional expense associated with operators having to use multiple
   proprietary configuration-related management methods (e.g., Command
   Line Interface (CLI) languages) to access such systems is not
   recommended, because it affects the overall cost of the service
   (including the exploitation costs), especially when multiple vendor
   technologies (hence multiple expertise) are used to support the VPN
   service offering. Therefore, devices should provide standards-based
   interfaces  wherever  feasible.  From  this  perspective,  additional
   requirements on possible interoperability issues and availability of
   such standardized management interfaces need to be investigated.
  
  
  3.2 Network Management Functions
  
   In addition, there can be internal service provided by the SP for
   satisfying the customer service requirements. Some of these may
   include the notion of dynamic deployment of resources for supporting
   the customer visible services, high availability service for the
   customer  may  be  supported  by  automatic  failure  detection  and
   automatic switchover to back-up VPNs. These are accomplished with
   inter-working  with  the  FCAPS  capabilities  of  Provider  Network
   Manager.
  
  
  
     3.2.1 Fault Management
  
   The Provider Network Manager support for fault management includes:
  
     . Fault detection (incidents reports, alarms, failure
        visualization),
  
  
  El Mghazli and al.     Expires - July 2004                [Page 15]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
     . Fault localization (analysis of alarms reports, diagnostics),
     . Corrective actions (data path, routing, resource allocation).
  
   Since L3VPNs rely upon a common network infrastructure, the Provider
   Network Manager provides a means to inform the Service Manager about
   the VPN customers impacted by a failure in the infrastructure. The
   Provider Network Manager should provide pointers to the related
   customer configuration information to contribute to the procedures of
   fault isolation and the determination of corrective actions.
  
   It is desirable to detect faults caused by configuration errors,
   because these may cause VPN service to fail, or not meet other
   requirements (e.g., traffic and routing isolation). One approach
   could be a protocol that systematically checks all constraints have
   been taken into account, and consistency checks have been enforced
   during the tunnel configuration process.
  
   A capability that aims at checking IP reachability within a VPN must
   be provided for diagnostic purposes.
  
   A capability that aims at checking the configuration of a VPN device
   must be provided for diagnostic purposes.
  
  
  
     3.2.2 Configuration Management
  
   The Provider Network Manager must support configuration management
   capabilities to deploy VPNs. To do so, a Provider Network Manager
   must provide configuration management to provision at least the
   following L3VPN components: PE, CE, hierarchical tunnels, access
   connections, routing, and QoS, as detailed in this section. If access
   to the Internet is provided, then this option must also be
   configurable.
  
   Provisioning for adding or removing VPN customer premises should be
   as automated as possible.
  
   Finally, the Provider Network Manager must ensure that these devices
   and protocols are provisioned consistently and correctly. The
   solution should provide a means for checking if a service order is
   correctly provisioned. This would represent one method of diagnosing
   configuration errors. Configuration errors can arise due to a variety
   of reasons: manual configuration, intruder attacks, and conflicting
   service requirements.
  
   Requirements for L3VPN configuration management are:
  
  
  
  El Mghazli and al.     Expires - July 2004                [Page 16]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
     . The Provider Network Manager must support configuration of VPN
        membership
  
     . The Provider Network Manager should use identifiers for SPs,
        L3VPNs, PEs, CEs, hierarchical tunnels and access connections as
        described in [L3VPN-FRWK].
  
     . Tunnels must be configured between PE/CE devices. This requires
        coordination of tunnel identifiers, hierarchical tunnels, VPNs,
        and any associated service information, for example, a QoS
        service.
  
     . Routing protocols running between PE routers and CE devices must
        be configured. For multicast services, multicast routing
        protocols must also be configurable.
  
     . Routing protocols running between PE routers, and between PE and
        P routers must also be configured.
  
   PE-based only:
  
     . Routing protocols running between PE routers and CE devices must
        be configured on a per VPN basis. The Provider Network Manager
        must support configuration of CE routing protocol for each
        access connection.
  
     . The configuration of a PE-based L3VPN must be coordinated with
        the configuration of the underlying infrastructure, including
        Layer 1 and 2 networks interconnecting components of a L3VPN.
  
  
  
      3.2.2.1   Provisioning Routing-based Configuration Information
  
   The Provider Network Manager must provision parameters for the IGP
   for a L3VPN. This includes metrics, capacity, QoS capability, and
   restoration parameters.
  
  
  
      3.2.2.2   Provisioning Network Access-based Configuration Information
  
   The Provider Network Manager must provision network access between
   SP-managed PE and CE equipments.
  
  
  
  
  
  
  El Mghazli and al.     Expires - July 2004                [Page 17]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
      3.2.2.3   Provisioning Security Services-based Configuration Information
  
   When a security service is requested, the Provider Network Manager
   must provision the entities and associated parameters involved in the
   provisioning of the service. For example, for IPSec services,
   tunnels, options, keys, and other parameters must be provisioned at
   either the CE and/or the PE routers. In the case of an intrusion
   detection service, the filtering and detection rules must be
   provisioned on a VPN basis.
  
  
  
      3.2.2.4   Provisioning VPN Resource Parameters
  
   A service provider must have a means to dynamically provision
   resources associated with VPN services. For example, in a PE-based
   service, the number and size of virtual switching and forwarding
   table instances must be provisioned.
  
   Dynamic VPN resource allocation is crucial to cope with the frequent
   requests for changes that are expressed by customers (e.g., sites
   joining or leaving a VPN), as well as to achieve scalability. The PE
   routers should be able to dynamically assign the VPN resources. This
   capability is especially important for dial-up and wireless VPN
   services.
  
   If a SP supports a "Dynamic Bandwidth Management" service, then the
   dates, times, amounts and intervals required to perform requested
   bandwidth allocation change(s) must be traceable for accounting
   purposes.
  
   If a SP supports a "Dynamic Bandwidth Management" service, then the
   provisioning system must be able to make requested changes within the
   ranges and bounds specified in the Service Level Specifications.
   Examples of QoS parameters are the response time and the probability
   of being able to service such a request.
  
  
  
      3.2.2.5   Provisioning Value-Added Service Access
  
   A L3VPN service provides controlled access between a set of sites
   over a common backbone. However, many service providers also offer a
   range of value-added services, for example: Internet access, firewall
   services, intrusion detection, IP telephony and IP Centrex,
   application hosting, backup, etc. It is outside of the scope of this
   document to define if and how these different services interact with
  
  
  El Mghazli and al.     Expires - July 2004                [Page 18]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
   the VPN service offering. However, the VPN service must be able to
   provide access to these various types of value-added services.
  
   A VPN service should allow the SP to supply the customer with
   different kinds of well-known IP services (e.g. DNS, NTP, RADIUS,
   etc.) needed for ordinary network operation and management. The
   provider should be able to provide IP services to multiple customers
   from one or many servers.
  
   A firewall function may be required to restrict access to the L3VPN
   from the Internet [Y.1311].
  
   A managed firewall service must be carrier-class. For redundancy and
   failure recovery purposes, a means for firewall fail-over should be
   provided. Managed firewall services that may be provided include
   dropping specified protocol types, intrusion protection, traffic-rate
   limiting against malicious attacks, etc.
  
   Managed firewalls must be supported on a per-VPN basis, although
   multiple VPNs will be supported by the same physical device. Managed
   firewalls should be provided at the access point(s) of the L3VPN.
   Such services may be embedded in the CE or PE devices, or implemented
   in standalone devices.
  
   The Provider Network Manager should allow a customer to outsource the
   management of an IP service to the SP providing the VPN or a third
   party.
  
   The management system should support collection of information
   necessary for optimal allocation of IP services in response to
   customers' orders, in correlation with provider-provisioned resources
   supporting the service.
  
   Reachability to and from the Internet from/to sites within a VPN must
   be configurable by an SP. Configuring routing policy to control
   distribution of VPN routes advertised to the Internet could realize
   this.
  
  
  
      3.2.2.6   Provisioning Hybrid VPN Services
  
   Configuration of inter-working L3VPN solutions should also be
   supported. Ensuring that security and end-to-end QoS issues are
   addressed.
  
  
  
  
  
  El Mghazli and al.     Expires - July 2004                [Page 19]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
     3.2.3 Accounting
  
   The Provider Network Manager is responsible for the measurements of
   resource utilization.
  
  
  
     3.2.4 Performance Management
  
   From the Provider Network Manager's perspective, performance
   management includes functions involved in monitoring and collecting
   performance data regarding devices, facilities, and services.
  
   The Provider Network Manager must monitor the devices' behavior to
   evaluate performance metrics associated with a SLS. Different
   measurement techniques may be necessary depending on the service for
   which an SLA is provided. Example services are QoS, security,
   multicast, and temporary access. These techniques may be either
   intrusive or non-intrusive, depending on the parameters being
   monitored.
  
   The Provider Network Manager must also monitor aspects of the VPN not
   directly associated with a SLS, such as resource utilization, status
   of devices and transmission facilities, as well as control of
   monitoring resources such as probes and remote agents at network
   access points used by customers and mobile users.
  
   Devices supporting L3VPN whose level of quality is defined by SLSs
   should have real-time performance measurements that have indicators
   and threshold crossing alerts. Such thresholds should be
   configurable.
  
  
  
     3.2.5 Security Management
  
   From the Provider Network Manager's perspective, the security
   management function of the Provider Network Manager must include
   management features to guarantee the preservation of the
   confidentiality of customers' traffic and control data as described
   in section 5.9 of [L3VPN-REQ].
  
  
  3.3 Network Management Information Models
  
   TBD
  
  
  
  El Mghazli and al.     Expires - July 2004                [Page 20]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
  
  3.4 Network Management Architecture
  
   TBD
  
  
  4. L3VPN Devices
  
  4.1 Information model
  
   Each L3VPN solution must specify the information bases (MIBs, PIBs,
   XML schemas, etc.) for network elements involved in L3VPN services.
   This is an essential requirement in network provisioning. The
   approach should identify any L3VPN specific information not contained
   in a standard MIB.
  
  
  
     4.1.1 Standard MIBs/PIBs
  
      4.1.1.1   Customer visible routing
  
   According to section 3.3 of [L3VPN-FRWK], the following technologies
   are available for the exchange of routing information at the customer
   interface level. The corresponding MIBs can be used for managing
   routing policies across the customer interface.
  
     . Static routing
     . RIP (Routing Information Protocol)
     . OSPF (Open Shortest Path First)
     . BGP-4 (Border Gateway Protocol version 4)
  
  
  
      4.1.1.2   Routing across the SP backbone
  
   According to section 4.4 of [L3VPN-FRWK], the following technologies
   are available for routing within the SP network:
  
     . Per-VPN routing model
          o Static routing
          o RIP
          o OSPF
          o IS-IS
          o BGP-4
  
     . Aggregated routing model
  
  
  El Mghazli and al.     Expires - July 2004                [Page 21]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
          o MP-iBGP [MP-BGP4]
          o OSPF
          o IS-IS
  
  
  
      4.1.1.3   VPN tunneling
  
   According to section 4.4 of [L3VPN-FRWK], the following technologies
   are available for VPN tunneling within the SP network:
  
     . MPLS
     . GRE
     . IPSec ([IPSEC-MIB], [IPSEC-PIB])
     . IP-in-IP
  
  
  
      4.1.1.4   Quality of Service
  
   According to section 4.5 of [L3VPN-FRWK], the following technologies
   are available for QoS support within the SP network:
  
     . Diffserv ([RFC3289], [RFC3317])
     . RSVP signaling
  
  
  
     4.1.2 L3VPN specific MIBs/PIBs
  
      4.1.2.1   PE-based L3VPN
  
     . Layer 3 VPNs
          o BGP/MPLS VPNs ([MIB-2547], [PIB-2547])
          o Virtual Routers ([VR-MIB])
          o TBD
  
     . Layer 2 VPNs:
          o TBD
  
  
      4.1.2.2   CE-based L3VPN
  
     . TBD
  
  
  
  El Mghazli and al.     Expires - July 2004                [Page 22]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
  
  4.2 Communication
  
   The deployment of a VPN may span a wide range of network equipment,
   potentially including equipment from multiple vendors. Therefore, the
   provisioning of a unified network management view of the VPN shall be
   simplified by means of standard management interfaces and models.
   This will also facilitate customer self-managed (monitored) network
   devices or systems.
  
   In case where significant configuration is required whenever a new
   service is to be provisioned, it is important for scalability reasons
   that the NMS provides a largely automated mechanism for the relevant
   configuration operations.
   Manual configuration of VPN services (i.e., new sites, or re-
   provisioning existing ones), could lead to scalability issues, and
   should be avoided. It is thus important for network operators to
   maintain visibility of the complete picture of the VPN through the
   NMS system. This should be achieved by using standard protocols such
   as SNMP, COPS, NetConf. Use of proprietary command-line interfaces is
   not recommended.
  
  
  5. Configuration aspects of PPVPN solutions
  
  5.1 Layer 2 VPNs
  
     5.1.1 VPWS
  
     5.1.15.1.2 VPLS
  
  5.2 Layer 3 VPNs
  
     5.2.1 PE-based 2547bis
  
     5.2.15.2.2 PE-based Virtual Router
  
     5.2.15.2.3 CE-based VPNs using IPSec
  
  Security Considerations
  
   TBD
  
  
  
  
  
  
  El Mghazli and al.     Expires - July 2004                [Page 23]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
  References
  
   [L3VPN-REQ] M. Carugi, D. McDysan, L. Fang, F. Johansson, Ananth
      Nagarajan, J. Sumimoto, R. Wilder, 'Service requirements for Layer
      3 Provider Provisioned Virtual Private', draft-ietf-l3vpn-
      requirements-00.txt , March 2002.
  
   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
      Requirement Levels", BCP 14, RFC 2119, March 1997.
  
   [L3VPN-FRWK] R. Callon, M. Suzuki, J. De Clercq, B. Gleeson, A.
      Malis, K. Muthukrishnan, E. Rosen, C. Sargor, J. Yu, 'A Framework
      for Layer 3 Provider Provisioned Virtual Private Networks', draft-
      ietf-l3vpn-framework-00.txt>, April 2002.
  
   [RFC2096] F. Baker, 'IP Forwarding Table MIB', RFC2096, January 1997.
  
   [MP-BGP4] D Katz, Yakov Rekhter, T. Bates, R.Chandra, 'Multiprotocol
      Extensions for BGP-4', RFC2858, June 2000.
  
   [IPSEC-PIB] Avri Doria, David Arneson, Jamie Jason, Cliff Wang,
      Markus Stenberg, Man Li, 'IPSec Policy Information Base', draft-
      ietf-ipsp-ipsecpib-09.txt, February 2002.
  
   [RFC3289] F. Baker, K. Chan, A. Smith, 'Management Information Base
      for the Differentiated Services Architecture', RFC3289, May2002.
  
   [RFC3317] K. McCloghrie, K. Chan, R. Sahita, S. Hahn, 'Differentiated
      Services Quality of Service Policy Information Base', RFC3317,
      March 2003.
  
   [MIB-2547] Thomas Nadeau, 'MPLS/BGP Virtual Private Network
      Management Information Base UsingSMIv2', draft-ietf-l3vpn-mpls-
      vpn-mib-00.txt, May 2002.
  
   [PIB-2547] Yacine El Mghazli, 'BGP/MPLS VPN Policy Information Base',
      draft-yacine-ppvpn-2547bis-pib-02.txt, February 2003.
  
   [Y.1311.1] Carugi M., "Network Based IP VPN over MPLS
      architecture",Y.1311.1 ITU-T Recommendation, May 2001.
  
   [IPSEC] S. Kent et al., "Security Architecture for the Internet
      Protocol", RFC 2401, November 1998.
  
   [RFC 2975] B. Aboba et al, "Introduction to Accounting Management",
      October 2000.
  
  
  
  
  
  El Mghazli and al.     Expires - July 2004                [Page 24]
  

  Internet Draft   draft-ietf-l3vpn-mgt-fwk-01.txt       January 2004
  
  
  Acknowledgments
  
   Special Thanks to Nathalie Charton, Alban Couturier and Christian
   Jacquenet for their valuable comments.
  
  
  Authors' Addresses
  
   Yacine El Mghazli (Editor)
   Alcatel
   Route de Nozay
   91460 Marcoussis cedex - FRANCE
   Phone: +33 1 69 63 41 87
   Email: yacine.el_mghazli@alcatel.fr
  
   Thomas D. Nadeau
   Cisco Systems, Inc.
   300 Apollo Drive
   Chelmsford, MA 01824 - USA
   Phone: +1 978 497 3051
   Email: tnadeau@cisco.com
  
   Kwok Ho Chan
   Nortel Networks
   600 Technology Park Drive
   Billerica, MA 01821 - USA
   Phone: +1 978 288 8175
   Email: khchan@nortelnetworks.com
  
   Mohamed Boucadair
   France Telecom
   42, rue des Coutures
   BP 6243
   14066 Caen Cedex 4 - FRANCE
   Phone: +33 2 31 75 92 31
   Email: mohamed.boucadair@francetelecom.com
  
   Arnaud Gonguet
   Alcatel
   Route de Nozay
   91460 Marcoussis cedex - FRANCE
   Phone: +33 1 69 63 42 17
   Email: arnaud.gonguet@alcatel.fr
  
  
  
  
  
  
  
  
  El Mghazli and al.     Expires - July 2004                [Page 25]
  

Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/